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Your  potential.  Our  passion 

Microsoft 


Your  people  are  your  company's  most  Important  asset.  Every  day 
they  come  to  work  ready  to  make  an  impact,  a  difference.  Make  sure 
they  have  software  that  matches  their  ambition — people-ready  software 
that  helps  them  collaborate  and  innovate,  that  amplifies  their  influence 
far  and  wide.  Then  see  your  people,  and  your  company,  succeed  like 

never  before.  Microsoft.  Software  for  the  people-ready  business. 

. 

microsoft.com/peopleready 
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THE  ESSENTIAL  ELEMENTS  OF 

IT  GOVERNANCE 


Even  the  most  effective  strategy  and  leadership  need  the  right  data  to  support  them.  Compuware  Changepoint 
provides  the  fundamental  components  for  better  decision-making.  While  Changepoint  automates  key  organizational 
processes,  you  get  an  integrated  dashboard  view  of  IT  costs,  effort  and  value  with  the  power  to  drill  down  for 
details.  Hard  facts  delivered  on  demand- — now  that’s  putting  true  IT  insight  in  the  palm  of  your  hand. 


Compuware 

Changepoint’ 


Discover  the  “Total  Economic  Impact”  of  implementing  IT  Governance. 

Download  the  latest  Compuware-commissioned  case  study  conducted  by 
Forrester  Consulting  at  www.compuware.conn/Changepoint/ROI3.  Or,  visit 
us  at  http://www.compuware.com/it-governance/. 
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Scott  Testa:  “People 
thought  outsourcing 
was  a  panacea  to 
cure  all  ills.” 
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operations  manager  for 
Maine’s  IT  department, 
helped  the  IT  staff  as  they 
worked  through  bugs  in 
the  state’s  new  Medicaid 
claims  processing  system 
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MAINE’S  MEDICAID  MISTAKES  |  46 

Maine’s  attempt  to  build  a  new  Medicaid  claims 
processing  system  is  a  classic  example  of  how  not 
to  run  a  massive  project.  By  Allan  Holmes 
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THE  THREE  (OR  FOUR)  YEAR  ITCH  |  56 

To  succeed,  relationships  require  love  and 
attention.  That’s  why  CIOs— especially  mid¬ 
market  CIOs  with  limited  resources— should 
factor  in  the  costs  of  hand-holding  when 
going  offshore.  By  Stephanie  Overby 


Data  Centers 

POWERING  DOWN  |  68 

Electricity-hungry  equipment,  combined 
with  rising  energy  prices,  are  devouring 
data  center  budgets.  Here’s  what  you  can 
do  to  get  costs  under  control. 

By  Susannah  Patton 
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CREDIT  WHERE  CREDIT  IS  DUE  | 
WWW.CIO.COM/O41506 

Productivity  has  been  increasing  steadily 
for  years  and  CIOs  think  IT  deserves  a  lot  of 
the  credit.  But  proving  that  hasn’t  been  easy. 
That’s  why  we  asked  MIT’s  Erik  Brynjolfsson 
about  his  new  research  on  metrics  and  IT 
best  practices.  By  C.G.  Lynch 

more  » 
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Electronic  data  discovery  tools  help  investigate  fraud,  breaches  and 
other  bad  behavior.  But  CIOs  should  approach  them  with  caution. 

Essential  Technology  by  Galen  Gruman 

The  Workplace 
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Some  leaders  are  so  bad,  they  can  poison  a  company.  Here’s  how  to 
spot  them,  and  what  you  can  do  about  them. 

Total  Leadership  by  Patricia  Wallington 

Software  Optimization 

THE  VALUE  INSIDE  |  38 

CIOs  should  regard  success  with  an  application  as  an  invitation  to 
see  what  else  the  software  can  do  for  their  business. 

It’s  All  About  the  Execution  by  Michael  Schrage 

Business  Continuity 

AFTER  THE  STORM  |  42 

Even  though  this  Mississippi-based  CIO  lost  everything  in  Hurri¬ 
cane  Katrina,  the  disaster  gave  her  a  newfound  appreciation  for  the 
coworkers  who  rallied  around  her.  Peer  to  Peer  by  Jan  Rideout 
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NEWS  AND  MORE  NEWS 

CIO’s  News  Alerts  (www.cio.com/news)— our  daily 
roundup  of  the  top  business  news  items  you  need 
to  know— has  proven  very  popular.  Now  two 
additional  news  feeds  join  it: 

»  Tech  Informer—' The  one  place  online  where 
you  can  find  the  latest  product  announcements 
and  emerging  technology  releases. 

»  Microsoftlnformer— The  Redmond  giant  is 
hard  to  keep  up  with.  But  we’ll  try  here.  Check 
back  often  for  updated  news  on  the  latest 
from  and  about  Microsoft. 

To  find  the  new  columns,  go  to 
www.cio.com.  Then  add  them 
to  your  RSS  reader  to  get 
the  latest. 
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Make  change  work  for  you.  Visit  www.hp.com/adapt 
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FROM  THE  EDITOR 


27  Reasons 
to  Read  This 
Magazine 

That’s  the  number  of 
actionabletips  and  solutions 
you’ll  find  in  the  current 
issue  of  CIO 


A  little  over  a  year  ago,  we  went  through  an  exercise  where  we  pinned  up  the  year’s 
covers  and  asked  a  group  of  CIOs  to  react  to  them.  What  we  heard  from  them  was  sur¬ 
prising.  After  more  than  a  decade  of  having  our  readers  tell  us  that  they  wanted  more 
failure  stories  (because  IT  is  hard  and  there  was  more  to  learn  from  analyzing  the  set¬ 
backs  their  peers  encountered  than  from  celebrating  their  successes)  and  fewer  articles 
about  the  CIO  role  (what  we  call,  “It’s  all  about  you”  stories),  this  group  of  IT  executives 
practically  recoiled  from  those  covers 

The  backlash  against  IT  a  few 
years  ago  [a.k.a.  the  "Does  IT 
Matter?"  debate]  put  CIOs  on 
the  defensive,  forcing  them 
to  justify  everything  they  did 
and  how  they  did  it. 


reflecting  the  former  and  were  drawn 
to  the  latter  like  kids  to  candy. 

What  was  up  with  that? 

The  backlash  against  IT  a  few  years 
ago  (a.k.a.  the  “Does  IT  Matter?”  debate) 
put  CIOs  on  the  defensive,  forcing  them 
to  justify  everything  they  did  and  how 

they  did  it.  Any  failure,  anywhere,  was  seen  as  part  of  the  mounting  evidence  against  IT 
and  against  them.  In  short,  CIOs  felt  beat  up,  and  failure  stories  on  the  cover  of  CIO  felt  like 
a  personal  attack. 

So  why  are  we  putting  “Maine’s  Medicaid  Mistakes”  on  the  cover?  There  are  four 
reasons: 

■  It’s  an  important  and  dramatic  story.  IT  is  a  powerful  tool;  it  can  be  dangerous  in  the 
hands  of  inexperienced  operators.  In  this  case,  it  wasn’t  just  corporate  profits  at  stake; 
it  was  people’s  health  and  welfare.  As  a  journalistic  enterprise,  our  responsibility  is 
to  report  such  stories. 

■  The  mistakes  made  in  this  project  were  basic  ones,  Project  Management  101.  In 
2006,  there’s  no  excuse  for  CIOs  to  be  making  these  kinds  of  mistakes— or  for  organ¬ 
izations  to  be  undertaking  such  critical  projects  without  adequate  oversight  and  proj¬ 
ect  management  discipline  in  place. 

■  I  believe  the  climate  has  changed.  CIOs  can  stop  feeling  so  defensive  when  they  read 
about  bad  things  happening  in  other  organizations.  Sometimes,  it’s  not  all  about  you! 

■  Finally,  and  perhaps  most  importantly,  this  story  is  filled  with  important  lessons. 
Which  brings  me  back  to  where  I  began. 

In  addition  to  the  10  essential  tips  for  successful  project  management  you’ll  find  in 
our  cover  story  (by  Washington  Bureau  Chief  Allan  Holmes,  beginning  on  Page  46), 
this  issue  also  delivers  seven  steps  to  a  successful  offshore  relationship  (“The  Three— 
or  Four— Year  Itch,”  Page  56);  three  solutions  to  lowering  your  data  center  energy 
costs  (“Powering  Down,”  Page  68);  and  MIT  economist  Erik  Brynjolfsson’s  seven 
practices  of  highly  effective  organizations  (though  you’ll  have  to  visit  our  website  at 
wxvw.cio.com/041506  for  that  one).  If  you  do  the  math,  that  makes  27.  And  that’s  not  even 
counting  our  columns  and  departments. 

So  while  our  cover  is  dramatic  and  news-driven,  our  content  is  practical  and  use¬ 
ful.  The  cover  is  not  about  you,  but  the  articles,  we  hope,  will  serve  you  well  in  your 
role  as  CIOs. 

Let  me  know  how  we  did. 


Abbie  Lundberg,  Editor  in  Chief 

lundberg(a)cio.com 
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Global  companies  have  teams  everywhere. 

To  help  them  share  ideas,  Xerox  multifunction  systems 
and  software  put  everyone  on  the  same  playing  field. 

There’s  a  new  way  to  look  at  it. 


Running  a  global  company  requires  secure  worldwide 
information  sharing.  Luckily,  Xerox  has  a  solution  for 
everyone  on  your  team.  Using  Xerox  multifunction 
systems  and  Xerox  DocuShare®  software,  documents 
can  be  securely  scanned  to  the  Web.  This  way  people 
throughout  your  global  network  can  share  them.  This 


xerox.com/offfice/team 
1-800-ASK-XEROX  ext.  753 


keeps  documents  current,  can  eliminate  warehousing 
needs  by  70%  and  can  reduce  order  fulfillment  time  by 
80%.  Whatever  Xerox  WorkCentre®  multifunction  svstem 
you  choose,  you’ll  reduce  costs  by  printing,  copying, 
scanning  and  faxing  from  one  convenient  network  device. 
Now  that’s  a  game  plan.  To  learn  more,  contact  us  today. 

XEROX. 

|  Technology  |  Document  Management  |  Consulting  Services  | 


©  2005  Xerox  Corporation.  All  rights  reserved.  XEROX®  WorkCentre,®  DocuShare,®  and  There's  a  new  way  to  look  at  it*  are  trademarks  of  Xerox  Corporation  in  the  United  States  and/or  other  countries. 


BUSINESS  TECHNOLOGY  LEADERSHIP 


FROM  THE  CEO 


The  Competitive 
Advantage 

In  a  technology  company,  who’s  more  important  than  the  CIO? 

On  July  11,  2005,  Hewlett-Packard  announced  with 
great  fanfare  that  former  Dell  CIO  Randy  Mott  would 
be  joining  the  company.  This  was  one  of  HP  CEO 
Mark  Hurd’s  first  significant  hires,  and  it  deserved  the 
applause  it  received.  However,  what  went  conspicu¬ 
ously  underreported  was  the  identity  of  Mott’s  suc¬ 
cessor,  Susan  Sheskey. 

Dell  does  more  than  $54  billion  in  sales  but  this 
past  year  saw  its  stock  price  fall  from  $42  a  share  to 
$29.  In  today’s  times,  change  is  a  fact  of  business  life. 
Yet  what  has  not  changed  is  that  Dell’s  competitive  advantage  is  closely  tied  to  its  abil¬ 
ity  to  execute  on  technology.  And  with  Sheskey  in  the  CIO  post,  Dell  is  still  executing. 

As  we’ve  frequently  noted  in  CIO,  succession  planning  is  critical  to  business  suc¬ 
cess,  and  never  more  so  than  when  markets  are  volatile.  At  this  point,  it  seems  that 
Mott  lived  up  to  his  succession-planning  responsibilities.  (For  tips  on  succession 
planning,  see  “Nothing  Succeeds  Like  Succession,”  wzozo.cio.com/05010S.)  Having  had 
the  opportunity  to  meet  with  Sheskey  recently,  it’s  clear  to  me  that  her  business  tech¬ 
nology  floor  plan  for  Dell  is  to  push  the  boundaries  of  innovation. 

Sheskey  discussed  her  goals  for  Dell,  and  I  think  they’re  relevant  for  every  CIO  who 
is  leading  the  charge  for  innovation: 

■  Create  an  IT  environment  that  can  differentiate  your  specific  customer  interactions; 

■  Make  your  IT  architecture  a  model  of  excellence  that  your  customers  can  learn  from; 

■  Have  your  IT  organization  become  a  destination  of  choice  for  IT  professionals. 
Spend  enough  time  inside  Dell  and  you’ll  hear  the  mantra  “Discipline  to  Delivery,” 

which  describes  the  company’s  desire  to  move  from  strategy  to  process  to  execution 
at  the  speed  of  light.  Creating  an  environment  where  one  can  achieve  business  lead¬ 
ership,  technology  leadership  and  career  development  enables  one  not  only  to  chant 
this  mantra  but  to  live  it. 

Sheskey  and  her  team  are  on  their  way  to  generating  their  own  press  clippings. 
I  would  enjoy  hearing  from  you  as  to  what  your  goals  and  aspirations  are  for  your  IT 
team.  Please  send  them  to  me. 


Michael  Friedenberg,  President  and  CEO 

mfriedenberg(a)cxo.com 
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P.S.  In  last  month’s  column  I  asked  for  best  practices  for  people  and  organizations  cur¬ 
rently  paralyzed  by  change.  A  lot  of  you  sent  me  General  Patton’s  famous  quote,  “Lead, 
follow,  or  get  out  of  the  way.”  Sound  advice  and  please  keep  the  feedback  coming. 
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The  corporate  messaging  landscape  is  changing.  New  threats  from  Instant  Messaging,  new 
requirements  for  message  archiving  and  compliance,  more  diverse  user  needs — all  demand  better 
solutions  for  securing  your  electronic  communications.  Introducing  Postini  Integrated  Message 
Management.  One  comprehensive,  flexible,  trusted  managed  service  that  protects  your  messages 
without  burdening  your  IT  infrastructure. 


TO  LEARN  MORE,  DOWNLOAD  A  FREE  WHITE  PAPER,  “SECURING  YOUR  ELECTRONIC  COMMUNICATIONS  WITH 
INTEGRATED  MESSAGE  MANAGEMENT,”  AT  ,  OR  CALL  US  AT  888.584.3150. 
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INTEGRATED  MESSAGE  MANAGEMENT 


SECURITY  •  COMPLIANCE  •  AVAILABILITY  •  VISIBILITY 


□  WILL  IT  REQUIRE  OUTSIDE  SUPPORT 

□  AND  WHAT  ABOUT  TCO 


W2006  Microsoft  Corporation.  AH  rights  reserved.  Microsoft,  Windows,  the  Windows  logo,  and  Windows  Server  are  either  registered  trademarks  or  trademarks  of  Microsoft 
Qfrporatio'n.in  the  United  States  and/or  other  countries.  The  names  of  actual  companies  and  products  mentioned  herein  may  be  the  trademalcs  of  their  respective  owners. 


Microsoft 


Sf  GET  THE  FACTS. 

TELEFLORA  CHOSE  WINDOWS  SERVER  OVER  LINUX  AND  UNIX,  AND  SAVED 
35%  IN  DEVELOPMENT  COSTS. 

"Developing  our  new  POS  system  on  Windows  Server™  2003  and  .NET  cost  us  35%  less  than 
a  Linux  or  UNIX  solution,  and  we're  able  to  deploy  new  features  and  new  services  twice 
as  fast.  That  gives  us  and  our  25,000  florist  customers,  a  crucial  advantage  in  our  rapidly 
changing  industry."  -Jim  Siplon,  EVP/CTO  ^  | 


For  these  and  other  third-party  findings,  go  to  microsoft.com/getthefacts 


Windows  Server  2003 
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The  Next  Compliance 

HEADACHE 


recycling  Proper  disposal  of  computer  equipment 
may  be  the  right  thing  to  do,  but  increasingly,  it  is  also  a  legal 
requirement. 

A  California  law  that  took  effect  in  February  makes  it 
illegal  for  households  and  small  businesses  to  toss  out 
“universal  waste,”  which  includes  cathode  ray  tubes, 
products  that  contain  mercury,  batteries  and  other 
toxic  substances  included  in  electronics.  The  prohibi¬ 
tion  was  already  in  place  for  enterprises,  but  the  law’s 
extension  is  one  of  the  electronic-waste  regulations  grab¬ 
bing  attention  this  year.  A  European  Union  directive  that 
takes  effect  in  July  goes  further  than  any  law  in  the  United 
States,  requiring  that  electrical  and  electronics  equipment 
distributed  there  be  free  of  certain  toxins. 

While  there  is  no  similar  federal  law  in  the  United  States 
yet— the  U.S.  Environmental  Protection  Agency  does  have 
regulations  regarding  how  toxic  waste,  including  materials 
used  in  electronics,  must  be  handled  and  disposed  of,  notes 
Jonathan  Zigman,  VP  for  CSI  Leasing,  an  IT  leasing  com¬ 
pany.  His  advice  to  CIOs  is  to  behave  as  though  their  com¬ 
panies  are  going  to  be  audited  by  the  EPA  regarding  toxic 
equipment  handling  and  Continued  on  Page  16 
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We  Don't  Need  No  Stinkin'  Batteries 


MOBILE  COMPUTING  MIT 

researchers  have  found  a  way  to  extend 
the  working  life  of  mobile  computers  by 
drawing  power  from  ultracapacitors 
rather  than  batteries. 

Ultracapacitors  are  still  three  to  five 
years  away  from  becoming  the  main 
power  source  for  laptops  and  handhelds, 
although  they’re  already  used  for  backup 
power  in  many  small  consumer  products, 
according  to  Joel  Schindall,  a  professor  in 
MIT’s  Department  of  Electrical  Engineer¬ 


ing  and  Computer  Science. 

The  new  device  is  called  a  nanotube- 
enhanced  ultracapacitor,  or  NEU.  Capa¬ 
citors  store  energy  as  an  electrical  field, 
which  is  more  efficient  than  standard 
batteries  that  generate  energy  from 
chemical  reactions.  Ultracapacitors  are 
even  more  efficient.  The  drawback  is 
size— they  need  to  be  larger  than  batter¬ 
ies  to  hold  the  same  charge. 

MIT  researchers  solved  this  problem  by 
taking  advantage  of  the  enormous  surface 


area  of  nanotubes:  molecular-scale  straws 
of  carbon  atoms  that  enable  ultracapacitors 
to  store  electrical  fields  at  the  atomic  level. 

The  new  technology  could  shake  up 
the  computer  business,  where  energy 
efficiency  is  becoming  a  selling  point. 
(See  “Powering  Down,"  Page  68.) 

How  fast  a  battery  charges  is  also 
important  to  users.  A  cell  phone  powered 
by  MIT’s  ultracapacitor  could  completely 
recharge  in  just  a  few  seconds. 

-Ben  Ames 
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he  People  Who 
Really  Run  IT 

kudos  They  are  skilled  project  managers.  They  combine  negotiating 
savvy  with  good  customer  service.  They  are  entrepreneurial  and  good  at 
solving  problems.  And  they  understand  the  business. 

We’re  not  talking  about  your  managers.  Or  your  business  analysts.  They  may  have  some  of  these 
skills.  But  the  one  person  on  your  team  who  has  aptitude  in  all  these  areas— and  makes  you  look 
good  in  the  process— is  your  administrative  assistant.  According  to  the  International  Association  of 
Administrative  Professionals,  executive  assistants  have  broader  skill  sets  than  most  professionals 
(probably,  even  you). 

In  recognition  of  Administrative  Professionals  Day  (April  26),  we’re 
honoring  two  executive  assistants,  nominated  by  their  CIOs,  as  the 
winners  of  CIO’s  Best  Administrative  Assistant  Contest:  Lee  Ann  Fisher, 
assistant  to  Edward  Chapel,  associate  VP  of  IT  with  Montclair  State 
University;  and  Jessica  Raichl,  assistant  to  CIO  Eugene  Nizker  with 
Custom  House  Currency  Exchange.  Driven  by  passion  for  their  work 
and  a  caring  spirit,  each  keeps  the  IT  department  running  smoothly. 

Two  other  nominees— Carol  Nash,  assistant  to  Edward  Marx,  CIO  with 
University  Hospitals  Health  System;  and  Darlene  Sillick,  assistant  to 
Cardinal  Health  CIO  Jody  Davids— were  selected  for  honorable 
mentions  by  CIO  editors. 

At  Montclair  State,  Fisher  is  “redefining  what  constitutes 
the  admin  role  here,”  says  Chapel,  who  considers  her  part  of  his 
management  team.  Hyper-conscious  of  the  university's  tight 
budget,  Fisher  established  new  processes  for  evaluating  the 
IT  staff's  travel  plans,  saving  the  department  $20,000  a  year. 

Before  Nizker  hired  Raichl  three  years  ago,  he  required  her 
to  submit  three  writing  samples.  But  her  skill  at  correspondence 
is  just  one  of  the  qualities  that  led  Nizker  to  describe  her  as  the 
“glue”  that  holds  his  department  together.  “She  guards  me 
from  problems  that  I  will  never  know  about,”  he  says,  and 
protects  the  entire  team.  A  few  months  ago,  the  local  police 
called  Nizker's  office  insisting  they  needed  to  ask  questions 
about  a  member  of  the  IT  staff.  Concerned  about  appearances, 

Raichl  told  the  police  they  could  not  come  into  the  office,  offering  instead  to  meet  them  else¬ 
where.  Ultimately,  the  incident  turned  out  to  be  a  big  misunderstanding,  and  Raichl’s  quick 
thinking  and  protective  instincts  prevented  gossip  and  any  further  problems. 

Nash,  Marx’s  assistant  at  University  Hospitals  Health  System,  received  an  honorable  mention 
for  what  her  boss  says  is  her  “customer-service  talent  and  passion.”  She's  an  expert  at  calming 
angry  business  users  when  they’re  having  a  technical  problem.  Cardinal  Health’s  Sillick,  mean¬ 
while,  is  being  recognized  for  her  compassion  and  friendship.  When  Davids'  son  died  in  Iraq  last 
year,  Sillick  notified  contacts  who  Davids  knew  personally,  arranged  travel,  hotel  and  transporta¬ 
tion  for  relatives,  and  organized  the  efforts  of  those  who  wanted  to  help.  “I  could  not  have  gotten 
through  that  period  without  Darlene,”  Davids  says.  -Stephanie  Overby 


Lee  Ann  Fisher  (top) 
and  Jessica  Raichl, 

winners  of  CIO's  Best  Admin¬ 
istrative  Assistant  Contest 


Recycling 

Continued  from  Page  15 


disposal,  whether  or  not  such  an 
audit  really  is  likely. 

“Assume  that  the  strictest  laws  are 
going  to  be  enforced  everywhere,” 
Zigman  says,  “and  it’s  going  to  make 
your  life  much  easier.”  He  recom¬ 
mends  that  CIOs  appoint  a  coordina¬ 
tor  to  be  responsible  for  an  e-waste 
plan.  Besides  a  written  policy,  which 
is  required  by  the  EPA,  Zigman  says, 
CIOs  should  perform  due  diligence 
on  third-party  vendors  to  ensure,  for 
instance,  that  they  can  certify  what 
happens  to  equipment  once  it  is 
hauled  away. 

Also  on  the  federal  level,  lawmak¬ 
ers  involved  with  the  Congressional 
E-Waste  Working  Group  are  pushing 
for  a  national  recycling  plan.  And  in 
February,  the  U.S.  Postal  Service 
launched  an  initiative  to  form  partner¬ 
ships  with  contractors  to  handle  items 
disposed  of  in  a  nationwide  e-waste 
recycling  program  for  consumers  and 
small  businesses. 

The  E.U.  directive  requires  that 
electrical  and  electronics  equipment 
manufactured  for  distribution  in  E.U. 
nations  after  July  1  must  be  free  of 
lead,  mercury,  cadmium,  chromium 
and  other  specified  toxins.  (There  are 
exemptions  for  certain  medical  and 
other  devices.)  Over  time  the  direc¬ 
tive  will  mean  that  electronics  and 
electrical  products  globally  will  be 
more  environmentally  friendly,  since 
manufacturers  aren’t  likely  to  pro¬ 
duce  separate  goods  for  distribution 
outside  of  the  European  Union, 
according  to  IT  analysts. 

Meanwhile,  analyst  Roger  Kay, 
president  of  Endpoint  Technologies 
Associates,  appeals  to  the  conscience 
of  those  making  decisions  about 
recycling  and  equipment  disposal. 
“From  my  perspective,  there’s  no 
question  about  compliance.  Not  only 
is  it  illegal  in  many  states  to  dump 
[e-waste],  it’s  just  the  wrong  thing  to 
do,”  he  says.  -Nancy  Weil 
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WORKFORCE  CRISIS 


Workforce  Crisis:  How  to  Beat  the  Coming  Shortage 
of  Skills  and  Talent 

By  Ken  Dychtwald,  Tamara  J.  Erickson  and  Robert  Morison 
Harvard  Business  School  Press,  2006,  $29.95 


Sign  Up  Top  Workers  Before  They’re  Hot 

Planning  ahead  for  the  coming  baby  boomer  retirement  binge 


book  review  In  the  coming  war 
for  talent,  organizations  that  recruit  and 
retain  top-notch  workers  before  the  labor 
shortfall  becomes  acute  will  possess  a 
competitive  advantage.  So  say  authors  Ken 
Dychtwald,  Tamara  Erickson  and  Robert 
Morison  in  Workforce  Crisis:  How  to  Beat 
the  Coming  Shortage  of  Skills  and  Talent. 

Much  ink  has  been  spilled  elsewhere 
on  the  oft-cited  estimate  of  a  10  million 
worker  shortfall  in  the  United  States  by 
2010.  More  worrisome  to  the  authors 
is  the  skills  crunch  they  believe  will 
precede  this  labor  shortage. 

IT  has  felt  the  pinch  of  this  for  some 
time:  Witness  the  current  shortage  of 


information-technology  graduates.  But 
the  perfect  storm  of  baby  boomer  retire¬ 
ments  and  a  deficit  of  young  workers 
means  the  situation  is  poised  to  go  from 
bad  to  worse  unless  employers  take  steps 
now  to  secure  their  talent  pool.  Workforce 
Crisis  offers  a  road  map  for  getting  ahead 
now,  by  rewriting  “the  employment  deal” 
with  workers  today. 

In  part,  this  means  abandoning  one- 
size-fits-all  HR  and  becoming  flexible- 
in  work  arrangements,  education,  and 
compensation  and  benefits— to  accom¬ 
modate  workers  in  three  distinct  groups: 
mature  workers  (55  or  over),  midcareer 
workers  (35-54  years  old)  and  young 


workers  (18-34  years  old). 

The  particulars  will  vary.  An  older 
worker  may  prefer  phased-retirement  or 
retiree-return  programs;  a  midcareer 
employee  may  need  a  sabbatical  or  lead¬ 
ership  development  to  relaunch  a  career; 
and  a  young  worker  may  crave  decision¬ 
making  responsibility  or  an  engaging, 
stimulating  workplace. 

The  book’s  emphasis  is  on  early  action 
for  dealing  with  the  changing  workforce. 
To  that  end,  it  is  filled  with  case  studies 
and  best  practices,  as  well  as  advice  for 
undertaking  a  workforce  analysis  and 
overcoming  barriers  to  change. 

-Stephanie  Gelston 
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IT  supports  and  controls  the 
applications  that  run  the  business. 


Now  there's  an  application  to  support 
and  control  the  I  usiness  of  IT. 


Maximo®  ITSM,  the  most  comprehensive  IT  asset  and  service 
management  solution,  substantially  improves  the  business 
of  IT,  significantly  increasing  the  value  IT  brings  to  an  organiza¬ 
tion.  By  unifying  IT  service,  asset  and  work  management  on 
a  single  software  platform,  Maximo  ITSM  delivers  the  control 
and  visibility  you  need  to  align  IT  service  levels  with  your 
overall  business  goals.  All  you  need  to  integrate  and  automate 
processes,  reduce  unplanned  outages,  standardize  and  share 
information  and  surpass  service-level  commitments.  To  make  your 
IT  organization  more  efficient  and  more  valuable,  download 
our  whitepaper  at  www.maximoit.com/cio  or  call  8  00-326-5765.  , 


COUNTED  CONTROLLED  MAXIMIZED 

mro  software 
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©2006.  MRO  Software,  Inc.  All  rights  reserved.  Maximo  is  a  registered 
trademark  and  MRO  Software  is  a  trademark  of  MRO  Software,  Inc. 
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A  Better  Way 
to  Search  for 
Trouble 

NETWORK  MANAGEMENT 

Sifting  through  performance  logs  saps  time 
and  money  from  just  about  every  enter¬ 
prise.  System  administrators  who  oversee 
networks  of  hundreds  of  servers  might 
spend  entire  days  reading  files  from  a 
variety  of  devices  to  monitor  overall  net¬ 
work  health.  For  even  the  most  meticulous 
among  us,  this  work  is  tedious. 

Splunk  is  designed  to  change  this.  The 
software,  from  a  startup  of  the  same  name, 
is  a  system  log  search  tool  that  empowers 
system  administrators  to  scrutinize  their 
network  performance  logs  more  easily. 
While  other  log  management  tools  exist,  few 
if  any  cull  data  from  every  part  of  a  network. 

Think  of  Splunk  as  Google  for  system 
logs.  Customers  configure  the  tool  to  read 
logs  from  different  network  outposts.  To  use 
it,  system  administrators  set  their  sights  on 
a  type  of  record  (say  one  that  would  indicate 
a  distributed  denial-of-service  attack),  type 
a  relevant  phrase  in  a  search  box,  and  sit 
back  while  the  software  searches  for  the 
appropriate  report. 

The  product  can  be  used  in  several  areas, 
including  monitoring  network  security  and 
keeping  tabs  on  changes  to  a  server.  CEO 
Michael  Baum  estimates  that  Splunk  can  cut 
log  management  time  to  mere  minutes  in  an 
average-size  company  and  reduce  the  mean 
time  to  recovery  after  a  network  failure. 

Glenn  Evans,  lead  network  engineer  for 
Interop,  says  he  used  the  software  last  year 
to  keep  tabs  on  the  network  for  the  annual 
InteropNet  conference  from  one  central 
location,  analyzing  network  data  immedi¬ 
ately  as  it  churned  out.  "Having  Splunk  was 
like  having  a  second  or  third  pair  of  eyes,” 
he  says. 

-Matt  Vi  llano 
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Keeping  Internet 
Pipes  Free  of  Charge 

Bills  would  prevent  telecoms  from  assessing  fees  to 
competitors  for  traffic  on  broadband  networks 


As  Congress  debates  on  major 
telecommunications  legislation, 
lawmakers  are  considering  propos¬ 
als  that  would  prohibit  large  tele¬ 
com  providers  from  charging  fees 
to  online  content  companies  that 
use  their  broadband  networks. 


The  measures  would  prevent  the 
vendors  from  blocking  services  or 
providing  slower  download  times 
for  other  vendors’  services. 

A  so-called  Net  neutrality  law 
would  ensure  that  broadband  cus¬ 
tomers  have  unfettered  access  to 
any  legal  content  or  service  offered 
online  and  could  operate  any  legal 
device,  such  as  a  voice-over-IP 
phone,  no  matter  which  vendor 
provides  it.  Backers  of  the  idea 
(advocated  by  Rep.  Rick  Boucher, 
D-Va.,  and  Sen.  Ron  Wyden,  D-Ore., 
among  others)  say  that  without  a 
law,  the  danger  exists  for  large  tele¬ 
com  and  cable  companies— which 
control  most  of  the  broadband  pipes 
in  the  United  States— to  discrimi¬ 
nate  against  smaller  competitors 
who  provide  their  services  through 
the  larger  companies’  networks. 

That’s  what  Todd  Putnam,  CIO 


of  Pac-West  Telecom,  is  worried 
about.  In  January,  Putnam’s  com¬ 
pany  announced  an  alliance  with 
VeriSign  to  offer  converged  VoIP 
and  other  data  services.  Without  a 
Net  neutrality  law,  Putnam  worries 
that  large  broadband  providers  will 
be  tempted  to  charge  more 
for  services  they  carry  for 
competitors  or  provide 
faster  access  to  their  own 
customers  and  affiliates. 
“It  will  not  be  a  level 
playing  field,”  he  says. 

Recently,  officials  from 
AT&T,  BellSouth  and 
Verizon  have  complained 
about  companies  such  as  Google 
riding  for  “free”  over  their  broad¬ 
band  networks.  (Google  counters 
that  it  pays  plenty  for  its  own  broad¬ 
band  access.)  These  large  providers 
told  Congress  in  February  that 
they  have  no  intention  of  blocking 
or  slowing  services  to  websites 
customers  want. 

However,  DSL  provider  Bell¬ 
South  (which  is  being  acquired  by 
AT&T)  has  proposed  charging  con¬ 
tent  providers  an  additional  fee  for 
improved  network  quality,  includ¬ 
ing  faster  customer  access,  on  its 
DSL  network.  AT&T,  meanwhile, 
has  proposed  creating  a  high-speed 
network  for  its  broadband  televi¬ 
sion  service  separate  from  the  rest 
of  the  Internet.  The  companies 
argue  that  they  need  ways  to  pay 
for  building  the  faster  networks. 

-Grant  Gross 
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Oracle  Database 


e  World's  Most 

Powerful  Database 


ORACLE 

In  an  independent  survey  of  database  owners,  WinterCorp  found  the  following 
running  on  Oracle: 

World's  Largest  Commercial  Database:  100TB 

World's  Largest  Linux  Data  Warehouse 

World's  Largest  Linux  &  Unix  Transaction  Processing  Systems 

World's  Largest  Unix  Data  Warehouse 

9  of  the  10  Largest  Unix  Transaction  Processing  Systems 

WinterCorp  2005  TopTen  Program 


Oracle  Database— 

The  facts  speak  for  themselves. 


oracle.com 

or  call  1.800.0RACLE.1 


Copyright  ©  2005,  Oracle,  All  rights  reserved.  Oracle,  JD  Edwards  and  PeopleSoft  are  registered  trademarks  of  Oracle  Corporation  and/or  its  affiliates. 

Other  names  may  be  trademarks  of  their  respective  owners. 


SOA  Adoption  Gains 
Momentum 


Companies  target  mission-critical  areas  first 


Implementation  of  service-oriented  architecture  (SOA)  is  on  the  rise,  reports 
the  Yankee  Group.  The  consultancy’s  survey  of  306  U.S.  IT  executives  found  that 
84  percent  had  an  SOA  project  or  would  be  starting  one  within  the  next  year. 

SOA  is  an  approach  to  software  design  that  promotes  the  development  and  integra¬ 
tion  of  reusable  components  that  are  based  on  elements  of  a  business  process.  For 
example,  if  the  elements  of  a  business  process  required  for  customers  to  order  a 
product  online  (such  as  checking  inventory,  looking  up  the  customer  record,  checking 
credit)  reside  on  different  systems,  writing  each  component  as  a  service  allows  the 
speedy  integration  and  delivery  of  the  information  needed  to  complete  the  transaction. 
Because  services  can  be  changed  without  affecting  users,  SOA  reduces  development 
time,  lowers  costs  and  allows  business  processes  to  be  reconfigured  easily. 

Because  of  the  cost  savings,  the  best  areas  to  start  applying  SOA  are  those  with  the 
most  impact  on  the  bottom  line,  says  Tom  Dwyer,  research  director  with  the  Yankee 
Group.  He  adds  that  for  most  companies  surveyed,  these  areas  are  customer-facing 
business  processes,  which  affect  revenue  most  directly. 

Among  respondents  that  have  already  implemented  SOA  projects,  most  targeted 
customer-facing  websites  or  portals  (30  percent)  and  help  desk  and  customer  support 
applications  (29  percent).  But  the  future  belongs  to  internal  integration.  Seventy-three 
percent  of  respondents  said  they  are  evaluating  or  currently  deploying  SOA  projects 
to  integrate  internal  business  applications,  and  72  percent  were  looking  into  or 
currently  implementing  it  to  aggregate  data  and  content. 


Plans  for  SOA 
Deployment 


Top  Areas  for  SOA  Investment 

Customer-facing  processes,  internal  integra¬ 
tion  and  data  accessibility  are  priorities 


Within 


Already  Implemented _ 

30%  Customer-facing  website/portals 
29%  Help  desk  and  customer  support 
25%  Integration  of  internal  business  applications 

Evaluating  or  Deploying 

73%  Integration  of  internal  business  applications 
72%  Data/content  aggregation  and  accessibility 
65%  Customer-facing  website/portals 
65%  Internal  supply  chain/procurement 

SOURCE:  The  Yankee  Group 


Best 

Practices: 

Coordinate  SOA  investments. 

Each  SOA  project  should  be 
reviewed  by  a  cross-functional 
team  that  has  responsibility 
for  setting  and  maintaining  IT 
architecture  standards.  The 
team  should  make  sure  each 
SOA  project  can  be  integrated 
with  the  ones  that  come  before  it. 


Make  a  business  process  map. 

Inventory  all  enterprise  serv¬ 
ices  that  support  mission- 
critical  operations  and  figure 
out  how  they  relate  to  each 
other.  “You  probably  won’t  get 
funded  to  do  this,”  says  Dwyer, 
“but  it  will  become  increasingly 
important  with  each  SOA  proj¬ 
ect."  Having  a  map  of  existing 
enterprise  services  will  ensure 
a  company  won’t  waste  money 
on  incompatible  or  duplicative 
projects,  and  make  it  easier  to 
respond  when  a  business 
model  changes. 


Define  data.  Create  a  set  of 
data  definitions  that  will  be 
used  to  build  SOA-based  appli¬ 
cations,  such  as  what  data  is 
encompassed  by  the  terms 
“order”  or  “account  address.” 
Definitions  should  be  standard¬ 
ized  throughout  the  company. 
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At  Overstock.com,  Business  Objects  turns  inventory  into  insights. 

‘ 


overstock.com 


Business  Performance  on  an  entirely  new  scale.  At  Overstock.com, 
dashboards  from  Business  Objects  transform  business  metrics  into  business  drivers. 
Every  SKU,  keyword  search,  sale  and  promo  is  tracked  in  real  time.  Prices  and 
promotions  are  fine  tuned  to  demand.  Are  your  SKUs  delivering  that  kind  of  insight? 


Business  Objects 


The  Business  Objects  logo  is  a  trademark  of  Business  Objects  in  the  United  States  and/or  other  countries. 

All  rights  reserved.  A.rV. 


bverstock.com  is  a  registered  trademark  of  Overstock.com,  Inc. 


Secure  your  online  transactions 
with  the  Web’s  most  trusted  brand 


Eliminate  spam  and  malicious 
threats  while  efficiently  managing 
and  archiving  your  company’s  email. 


Protect  your  employees  and  customers 
with  strong  authentication  and 
proactive  intelligence. 


or- 


VeriSign  intelligent  infrastructure  at  work. 


f  2006  VeriSign,  Inc.  All  rights  reserved.  VeriSign,  the  VeriSign  logo.  "Where  it  all  comes  together,"  and  other  trademarks,  service  marks, 
and  designs  are  registered  or  unregistered  trademarks  of  VeriSign  and  its  subsidiaries  in  the  United  States  and  in  foreign  countries. 


Today  and  every  day,  VeriSign  intelligent  infrastructure  services  enable  and  protect  all  kinds  of  network 
interactions  in  today’s  complex  digital  world.  VeriSign  offers  a  host  of  mission-critical  security  services  to 
mitigate  reputational,  operational,  and  compliance  risks  in  the  simplest,  most  cost-effective  way  possible. 

VeriSign®  Where  it  all  comes  together.™ 


www.verisign.com/intelligence 

Download  the  free  white  paper  on  intelligent  infrastructure  services. 
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You  get  your  work  done.  The  wandering  eyes  beside  you  see  only  a  dark  screen.  Reassuring  3M™  Privacy  Filters.  Made  of  slim,  protective,  rigid-yet-flexible  polymer. 
Easy  to  attach  and  remove.  Available  for  laptops  in  many  sizes.  Uncanny  3M  microlouver  technology  blocks  out  side  views  while  you  see  your  screen  clearly  as  ever. 
You  have  to  not  see  it  to  believe  it.  Available  only  at  online  retailers.  1 -888-PRIVACY  3MPrivacyFilter.com 


3M 

Privacy  Filters 


YOU  NEED  A  3M  PRIVACY  FILTER  BECAUSE  9  OUT  OF  10 
PEOPLE  ADMIT  TO  SNOOPING. 


(AND  THE  LAST  ONE  IS  LYING.) 


©  3M  2005.  3M,  Vikuiti  and  the  Vikuiti  'Eye'  symbol  are  trademarks  of  3M 


Now  you  see  it.  Now  they  don’t. 


FROM  INCEPTION  TO  IMPLEMENTATION- 1. T.  THAT  MATTERS 


ESSENTIAL 


Electronic  data 
discovery  tools  help 
investigate  fraud, 
breaches  and  other 
bad  behavior.  But 
CIOs  should 
approach  them 
with  caution. 


“CSI”  for  the  Enterprise? 

BY  GALEN  GRUMAN 

SECURITY  |  Michael  Osborne  has  been  getting  a  lot  of  vendor  calls  lately  pitching  a  new 
breed  of  products,  typically  called  electronic  data  discovery  (EDD)  tools.  These  tools 
promise  to  investigate  historical  data  to  uncover  security  breaches,  compliance  failures 
and  plain  old  errors  in  transactions  across  various  enterprise  systems,  from  network 
administration  to  accounting.  Driven  by  compliance  requirements  such  as  Sarbanes- 
Oxley  and  the  Health  Insurance  Portability  and  Accountability  Act,  these  tools  focus  on 
user  activities,  such  as  who  accessed  a  database  or  updated  a  customer  account.  The  goal 
is  to  look  at  both  real-time  and  historic  patterns  across  multiple  databases,  networks  and 
applications  to  find  suspicious  activities  that  might  indicate  insider  financial  fraud,  cus¬ 
tomer  identity  theft,  compliance  policy  breaches  or  theft  of  proprietary  data  such  as  cus¬ 
tomer  contacts  or  product  designs.  As  the  senior  security  manager  at  Kimberly-Clark, 
which  makes  health  and  hygiene  products,  Osborne  is  interested  in  ways  to  prevent  sup¬ 
plier  or  insider  fraud,  such  as  detecting  sham  providers  used  to  steal  or  launder  money. 
In  other  organizations,  electronic  data  discovery  tools  might  be  used  to  detect  identity  theft 
or  violations  of  information-access  policies. 

Continued  on  Page  30 
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A  Global  Hotel  Company  Analyzing  1.4  Million  Records  a  Day. 

Running  On  Microsoft  SQL  Server  2005. 


Hilton 


How  does  Hilton  forecast  demand  for  its  370,000  rooms  and  its  catering  services? 
They  import  data  from  six  systems  into  one  data  warehouse  requiring  7  million  rows,  and 
running  on  SQL  Server™  2005  with  99.98%  uptime.*  See  how  at  microsoft.com/bigdata 


Microsoft’ 

SQLServer  2005 


‘Results  not  typical,  and  are  based  on  use  with  Windows  Served  2003  Enterprise  Edition.  Availability  is  dependent  on  many  factors, 
including  hardware  and  software  technologies,  mission-critical  operational  processes,  and  professional  services.  ©  2006  Microsoft 
Corporation.  All  rights  reserved.  Microsoft,  Windows  Server,  and  "Your  potential.  Our  passion.'1  are  either  registered  trademarks  or 
trademarks  of  Microsoft  Corporation  in  the  United  States  and/or  other  countries.  The  names  of  actual  companies  and  products 
mentioned  herein  may  be  the  trademarks  of  their  respective  owners. 


essential  technology 

Continued  from  Page  25 

Osborne  is  not  alone  in  getting  these 
pitches,  say  analysts  and  consultants,  who 
warn  that  CIOs  should  be  cautious. 
“There’s  a  lot  of  vaporware  out  there,” 
says  Avivah  Litan,  a  security  research 
director  at  Gartner.  “You’re  seeing  ven¬ 
dors  build  an  industry  around  scare  tac¬ 
tics  over  compliance  and  security.” 

That’s  not  to  say  there  aren’t  useful 
technologies  available.  For  example, 
Osborne  is  evaluating  a  tool  from  Over¬ 
sight  Systems  that  analyzes  accounting 
information  from  SAP  and  other  financial 
systems  to  detect  fraud  and  errors  both  in 
current  transactions  and  in  past  transac¬ 
tions  stored  in  the  SAP  system.  He’s  rec¬ 
ommended  that  Kimberly-Clark  seriously 
consider  adopting  the  technology. 

At  online  shopping  service  provider 
2Checkout.com,  Tom  Denman,  the  direc¬ 
tor  of  risk  management,  has  adopted  41st 
Parameter’s  analysis  tools  to  detect  fraud 
in  the  shopping  and  financial  transactions 
that  his  service  handles  for  online  stores. 
2Checkout  used  to  rely  on  real-time  secu¬ 
rity  event  monitoring  tools  but  found  they 
couldn’t  do  as  thorough  an  analysis  in 
real-time.  Denman  now  batches  customer 
transactions  and  uses  41st  Parameter  tools 
to  analyze  them  against  previous  trans¬ 
actions  and  various  fraud  patterns,  to 
detect  stolen  credit  cards  and  the  like  (one 
fraud  pattern  might  be  the  use  of  a  credit 
card  number  for  online  purchases  the 
same  day  in  several  countries).  Suspect 
transactions  get  flagged  for  human  review, 
prioritized  by  risk  level. 


The  use  of  historical  data  correlated 
across  multiple  systems  and  a  focus  on 
user  activity  is  what  distinguishes  EDD 
from  real-time  security  event  monitoring 
(SEM)  tools,  which  typically  are  used  to 


monitor  network  activity  for  intrusions 
and  viruses.  EDD  provides  more  context 
in  which  to  find  fraud  or  uncover  breaches. 
“The  tools  can  serve  the  understand-and- 
prevent  function,”  says  Keith  Schwalm, 
vice  president  of  Good  Harbor  Consult¬ 
ing,  a  security  advisory  firm.  EDD  tools 
can  work  as  an  adjunct  to  SEM  tools,  or 
provide  both  functions,  notes  Amrit 
Williams,  a  security  research  director  at 
Gartner.  The  vendor  trend  is  to  merge  the 
two  functions  into  a  suite,  he  adds. 

Beware  the  Forensics  Label 

Many  salespeople  attach  the  label  “foren¬ 
sics”  to  their  security  and  compliance 
analysis  tools,  and  that  can  be  very  mis¬ 
leading.  In  law  enforcement  circles,  “foren¬ 
sics”  means  a  well-defined  set  of  discovery 
and  investigative  processes  that  hold  up 
in  court  for  civil  or  criminal  proceedings. 
An  enterprise  that  relies  on  these  tools’ 
records  or  analysis  in,  for  example,  a 
wrongful  termination  suit,  is  probably  in 
for  an  unpleasant  surprise.  “It  may  not 
hold  up  in  court,”  says  Schwalm,  a  former 
Secret  Service  agent.  “Very  few  vendors 
have  an  idea  of  what  the  requirements  [are 
for  proof,  from  a  legal  perspective].  They’re 
really  providing  just  a  paper  trail.  You 
should  challenge  what  the  vendor  means 
by  ‘forensics  capability,”’  he  adds. 

One  gotcha  of  using  EDD  tools  for  legal 
purposes  is  proving  the  inviolability  of 
the  data.  Tools  that  keep  or  aggregate  event 
logs  may  not  provide  access  control  that 
lets  the  enterprise  prove  that  the  underly¬ 


ing  data  is  unaltered  and  accurate. 

This  issue  is  particularly  critical  because 
most  vendors  pitch  their  EDD  tools  as  a 
way  of  detecting  internal  threats.  Yet  an 
insider  is  in  the  best  position  to  access  and 


70% 

of  users 
need 
tools  to 
analyze 
both 
past  and 
real-time 
events. 

SOURCE:  Gartner 


alter  data  to  cover  his  tracks  or  deflect 
blame  to  someone  else,  making  truly 
secure  access  control  and  data  manage¬ 
ment  policies  a  must  to  even  consider  rely¬ 
ing  on  EDD  tools  in  a  legal  case.  To  thwart 
insider  manipulations,  critical  functions 
such  as  setting  up  new  vendors  or  chang¬ 
ing  payment  destinations  should  require 
multiple  levels  of  approval.  “One  person 
shouldn’t  be  minding  the  whole  store,” 
says  2Checkout’s  Denman. 

A  related  concern  is  being  able  to  go 
back  to  the  original  raw  data,  since  most 
EDD  tools  alter  the  original  data  to  put  it 
into  a  searchable  database  and  to  make 
formats  from  different  types  of  monitoring 
appliances  consistent.  Such  regulariza¬ 
tion  is  necessary  to  analyze  the  records, 
but  to  be  legally  effective,  there  must  be  a 
defensible  way  to  show  that  it  didn’t  dis¬ 
tort  the  original  data,  says  Gartner’s  Litan. 

There  are  no  broad  standards  for  what 
constitutes  acceptable  forensics.  Different 
courts  and  law  enforcement  agencies  have 
their  own  standards,  so  the  CIO  should 
make  sure  his  security  experts  consult  with 
those  organizations  to  find  out  what  evi¬ 
dence  they’ll  require  to  pursue  a  case. 
2Checkout’s  Denman  has  done  just  that, 
working  with  the  FBI’s  cybercrime  task 
force  “to  know  what  they  look  for.”  For 
example,  investigators  prefer  to  make 


Many  salespeople  attach  the  label 
“forensics”  to  their  security  and 
compliance  analysis  tools,  and  that 
can  be  vep/  misleading. 
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PROTECTION 


Taking  Data  Protection 

to  The  Edge 


Digital  Data  Protection  Must  Cover 
Today’s  Mobile,  Extended  Enterprises 


— ~ — - - ▼ — 

In  today’s  information-driven  world,  many  businesses  are 
working  within  the  reality  that  data  increasingly  lies  at  the 
heart  of  their  success.  At  the  same  time,  the  workforce  has 
become  more  scattered,  a  fact  driven  home  by  the  explosion 
of  mobile  workers.  According  to  a  study  by  IDC,  the  global 
mobile  workforce  is  expected  to  grow  to  878  million  mobile 
workers  by  2009.  With  that  explosion  has  come  a  data  migra¬ 
tion,  as  business-critical  data  moves  from  the  safety  of  the 
data  center  to  local  storage  such  as  individual  laptops,  servers 
and  PCs.  Business  leaders  need  to  access,  analyze  and  draw 
insights  from  their  corporate  data — all  within  a  corporate 
environment  that  is  increasingly  driven  by  regulatory  issues 
to  closely  track,  monitor  and  protect  business  data  regardless 
of  where  it  lies  inside — or  outside — the  workplace. 

“Companies  are  realizing  that  there’s  a  whole  lot  of  data  out 
there,  and  a  lot  of  it  is  outside  of  data  center  control,”  says  Kevin 
Roden,  CIO  of  Iron  Mountain.  “That  risk  to  a  business  is  mag¬ 
nified  exponentially  with  the  changes  in  privacy  regulations 
and  requirements.” 

In  this  new  world,  it  is  increasingly  obvious  that  CIOs  must 
have  more  than  a  standard,  centralized  backup  and  recovery 
plan — they  must  build  a  strategy  that  protects  data  wherever  it 
resides  in  an  increasingly  mobile  world.  The  question  is,  how 
can  they  do  so  within  the  constraints  of  an  IT  infrastructure 
that  may  not  be  able  to  protect  mobile  data? 


THE  PROBLEM 

At  issue  is  a  basic  disconnect  between  how  data  is  used  and 
stored  and  how  it  is  protected.  Many  disaster  recovery  and 
data  backup  plans  are  written  for  data  centers,  and  com¬ 
pletely  neglect  the  data  that  resides  elsewhere,  such  as 
remote  office  servers  or  laptops  and  PDAs.  That  translates 
to  a  huge  business  vulnerability,  as  much  data — as  high  as 
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60  percent — is  decentralized  and  lies  outside  of  the  central¬ 
ized  cone  of  safety.  Such  mobile  data  constitutes  a  huge  risk 
factor.  Tape  backup  methodologies  outside  the  data  center 
are  largely  undermanaged  and  unreliable.  In  fact,  according 
to  Gartner  Group,  more  than  40  percent  of  such  data  is  not 
properly  backed  up  each  night.  Moreover,  when  those  back¬ 
ups  do  occur,  they  are  not  conducted  within  the  centralized 
control  of  IT,  but  rather  by  remote  workers  with  little  inter¬ 
est  or  expertise  in  backing  up  data. 

“The  problem  is  that  remote  offices  rarely  have  the 
resources  to  manage  data  protection  and  security  services,” 
says  Brian  Babineau,  an  analyst  at  Enterprise  Strategy  Group  in 
Milford,  Mass.  With  such  an  unreliable  plan  in  place,  it’s  small 
wonder  that  Storage  magazine  estimates  77  percent  of  compa¬ 
nies  that  conducted  a  backup  audit  also  discovered  bad  tapes. 

At  the  2004  Gartner  Data  Center  conference,  69  percent  of 
attendees  said  they  were  unhappy  with  their  current  backup 
solution  for  remote  servers,  and  with  good  reason. 

The  risk  to  data  on  mobile  technology  is  even  greater,  as  it 
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represents  a  twofold  danger.  “Mobile  workers  are  taking  criti¬ 
cal  information  out  on  the  road  with  them,  but  it’s  challeng¬ 
ing  to  protect  that  data  and  recover  as  needed,”  says  Babineau. 
“On  top  of  that,  you  have  to  figure  out  how  to  secure  that  data 
if  somebody  loses  their  laptop.” 

The  business  risks  are  huge,  as  failure  to  protect  such  a  large 
quantity  of  business  information  puts  both  corporate  reputa¬ 
tion  and  revenue  streams  at  risk.  Many  businesses  cannot 
stand  an  extended  disruption  of  business,  yet  they  continue  to 
take  daily  risks  with  the  safety  of  their  data,  through  either  out¬ 
right  neglect  or  overburdening  an  IT  staff  with  tasks  that  take 
them  away  from  their  core  mission  to  add  business  value 
through  innovative  technology  implementations.  The  end 
result  is  sobering:  a  company  that  is  vulnerable  to  disaster, 
fraud,  exposure  and  potentially  disastrous  errors. 

THE  SOLUTION 

Smart  CIOS  realize  that  a  standard,  centralized  backup  plan  is 
no  longer  sufficient.  Rather,  they  must  build  a  strategy  to  pro¬ 
tect  data  that  increasingly  resides  at  the  edge  of  the  network  in 
an  enterprise,  rather  than  in  a  centralized  data  center. 

“We’re  seeing  the  more  forward-thinking  companies 
and  people  who  understand  the  value  of  information  on  the 
edge  of  the  network,  and  are  starting  to  build  a  strategy  to 
address  it,”  says  Roden. 

Roden  recommends  the  following  as  vital  to  success: 

MOBILE  WORKFORCE  PROTECTION.  Here,  CIOs  should  look  for 
reliable,  secure  and  automatic  backup  and  recovery  services 
that  offer  a  breadth  of  options  and  choices.  Web-based  access 
and  centralized  control  are  vital.  Look  for  the  ability  to  access 
and  manage  media,  control  authorization  levels,  and  initiate 
physical  security  on  a  laptop  as  well.  The  key  is  to  automate 
here — users  cannot  be  relied  on  to  secure  and  protect  their 
data  and  mobile  devices.  A  service  such  as  DataDefense™  is 
key.  DataDefense  "  provides  automatic,  intelligent  encryption 
of  all  sensitive  PC  data,  without  requiring  any  special  action 
by  the  end  user  and  regardless  of  whether  a  system  is  online 
or  offline.  When  a  system  is  reported  lost  or  stolen  -  or 
DataDefense'"  detects  behaviors  that  are  inconsistent  with 
authorized  use  -  sensitive  data  is  automatically  eliminated 
and  the  PC  is  disabled.  “The  approach  is  to  take  as  much 
uncertainty  out  of  the  equation  as  possible,”  says  Roden.  “It’s 
important  to  make  sure  that  accountability  lies  with  the  data 
protection  solution,  not  the  users.” 

REMOTE  OFFICE  PROTECTION.  CIOs  need  coverage  all  the  way  to 
the  network’s  edge,  including  data  on  distributed  and  remote 
servers,  without  the  risks  and  failures  inherent  in  tape  backup 
products.  By  choosing  reliable  integrated  backup,  offsite  data 
protection  and  recovery  services,  CIOs  can  build  a  strategy  that 
encompasses  each  piece  of  the  data  protection  puzzle  without 


DISTRIBUTED  DATA  PROTECTION 

The  amount  of  data  decentralized  outside  the 
centralized  cone  of  safety 

878  MILLION 

The  number  of  mobile  workers  by  2009,  according  to  IDC 

40% 

Percentage  of  distributed  data  not  properly  backed  up  each  night 

69% 

Percentage  of  attendees  At  2004  Gartner  Data  Center  conference  unhappy 
with  current  backup  solution  for  remote  servers 

77% 

Percentage  of  bad  tapes  discovered  by  companies  who  tested  their  backup 
systems  -  Storage  Magazine 


having  to  build  a  fragmented  layer  of  services.  The  best  solu¬ 
tions  also  reduce  the  overall  TCO  of  data  protection  by  reduc¬ 
ing  tape  handling  and  maintenance  costs  and  risks  while 
simultaneously  lifting  workload  from  the  IT  staff.  “If  you’re  a 
bank,  you  want  your  best  IT  minds  thinking  about  applying  IT 
to  financial  services,  not  backing  up  data,”  says  Roden.  “You 
need  to  look  for  solutions  that  are  automatic  and  reliable,  and 
require  no  human  intervention.” 

ENHANCED  BUSINESS  VALUE.  Data  protection  strategies  must 
also  maximize  the  business  value  of  corporate  data  by  pro¬ 
viding  timely  recovery  and  assuring  business  continuity. 
Arriving  at  acceptable  recovery  levels  means  that  CIOs  must 
weigh  business  risk  versus  recovery  costs,  so  it’s  important  to 
be  able  to  access  an  array  of  service  offerings  that  can  be  cho¬ 
sen  to  match  differing  levels  of  business  data.  “Having  choices 
from  a  service  provider  to  deliver  various  RPOs  (Recovery 
Point  Objectives)  and  RTOs  (Recovery  Time  Objectives)  is 
crucial,  because  not  all  data  is  equal,  and  not  all  of  it  should 
be  protected  equally,”  says  Babineau. 

In  the  final  analysis,  CIOs  must  make  a  choice:  Do  they  care 
enough  to  protect  and  secure  data  at  the  edge?  And  if  so,  how 
do  they  do  it? 

“You  can  shell  out  a  ton  of  budget  dollars  on  tape  drives  and 
backup  software  for  PCs,  along  with  the  labor  involved  in  man¬ 
aging  the  backup  and  convincing  employees  that  it’s  important,” 
says  Babineau.  “The  alternative  is  to  use  a  solution  that  takes  the 
responsibility,  and  does  all  that  for  you  automatically.”  A 


A  Iron  mountain” 

For  more  information  on  how  to  implement 
data  protection  and  ensure  recovery,  check  out 
www.ironmountain.com/digital 
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right-versus-right  conflicts 
that  every  leader  faces  and 
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essential  technology 


forensically  sound  copies  of  original  data  or 
the  best  available  evidence;  they  never 
manipulate  original  data  directly. 

CIOs  should  be  sure  they  don’t  approach 
EDD  solely  as  an  IT  issue.  “Let  your  general 
counsel  manage  this,”  advises  Matt  Curtin, 
founder  of  the  forensic  computing  consul¬ 
tancy  Interhack.  An  attorney  can  best  decide 
what  records  would  be  needed  for  legal  pro¬ 
ceedings.  And  he  can  set  guidelines  on 
cleansing  transaction  histories:  “The  longer 
you  keep  the  data,  the  more  you  have  to  be 
subpoenaed,”  Curtin  says,  “so  you’ll  be  hit  for 
more  [discovery]  requests.”  That  increases 
the  chances  that  the  other  party  will  find 
your  own  errors  and  mistakes,  he  notes. 

Focus  on  Investigation 

While  the  “forensics”  label  may  be  mis¬ 
leading,  EDD  tools  can  help  the  enterprise 
investigate  possible  security  and  compli¬ 
ance  breaches  to  identify  where  a  true  foren¬ 
sics  investigation  should  take  place  or  to 
understand  a  previous  breach  as  part  of  an 
effort  to  strengthen  enterprise  defenses. 

Curtin  advises  that  enterprises  consider 
EDD  tools  that  provide  search  and  query 
capabilities  that  in-house  analysts  can  use 
to  uncover  clues  about  potential  problems, 
not  just  canned  detection  rules.  Having  lots 
of  monitoring  systems  isn’t  that  useful  if  you 
don’t  know  where  to  focus  your  attentions. 
EDD  tools  can  help  identify  the  problematic 
areas,  “so  you  don’t  bother  with  the  rest  of  the 
data,”  he  says.  But  systems  that  offer  only 
canned  analyses  don’t  let  forensics  experts  do 
the  kind  of  digging  they  need  to  do,  forcing 
them  to  go  through  logs  and  databases  man¬ 
ually.  “Most  companies  today  run  the  rules 
that  come  out  of  the  box,”  notes  John  Sum¬ 
mers,  global  director  of  managed  security  at 
the  Unisys  consultancy,  but  for  EDD  tools  to 
be  effective,  “rules  need  to  be  specific  to  your 
business  and  processes.”  Good  EDD  analysis 
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tools  let  you  both  customize  the  rules  and 
conduct  your  own  queries  and  searches, 
Curtin  and  Summers  say. 

It’s  also  key  to  remember  that  current 
real-time  analysis  tools  focus  on  a  specific 
type  of  monitoring,  such  as  credit  card  fraud 
detection  or  intrusion  detection,  rather  than 
provide  broad,  enterprisewide  risk  analysis. 

Monitor  at  Multiple  Levels 

Vendors  are  increasingly  focused  on  EDD 
as  a  way  to  get  CIOs’  compliance  money, 
says  Unisys’s  Summers.  Early  EDD  tools 
just  added  reporting  to  the  real-time  event¬ 
monitoring  capabilities  offered  by  security 
event  management  (SEM)  tools  and  appli¬ 
ances,  he  notes,  but  since  summer  2005, 


vendors  have  been  adding  more  “prag¬ 
matic”  compliance-oriented  services  to  the 
tools  now  relabeled  as  EDD.  For  example, 
tools  that  used  to  focus  on  firewall  and 
intrusion  detection  logs  are  now  examining 
database  logs  to  monitor  access  to  specific 
data,  both  to  help  assess  compliance  with 
data  access  policies  and  to  identify  data 
access  patterns  that  may  indicate  fraud.  By 
noticing  a  firewall  breach  that  occurs  30 
seconds  before  unusual  database  access, 
for  instance,  such  tools  can  alert  adminis¬ 
trators  of  a  possible  identity  theft.  That 
might  lead  to  an  immediate  shutdown  of 
access  to  that  database  as  well  as  a  deeper 
look  into  past  activities  to  see  if  the  identity 
theft  has  been  ongoing.  Similarly,  EDD  tools 
are  also  now  examining  server  logs  for  both 
compliance  and  security  analysis,  he  says. 

To  do  truly  useful  monitoring  and  analy¬ 
sis  of  data  access  requires  understanding 
who  the  users  are  and  what  permissions 
they  have,  Summers  says,  so  he  expects  EDD 
tools  to  begin  monitoring  policy  servers  and 
directory  services  in  the  next  year.  That 
requires  a  cohesive  strategy  for  compliance 
and  security,  one  that  requires  coordinating 


IT,  business,  security  and  legal  needs.  To 
accomplish  that  strategy,  the  CIO  needs  to 
ensure  that  monitoring  and  analysis  is 
deployed  holistically,  not  by  just  the  secu¬ 
rity  team  or  the  network  administration  staff. 
Effective  fraud  and  compliance  monitoring 
requires  having  the  right  policies  in  place  to 
manage  data  and  access,  as  well  as  analyzing 
ongoing  events  in  the  network,  in  key  appli¬ 
cations  and  in  key  data  stores. 

The  new  breed  of  EDD  tools  are  fairly 
expensive  and  difficult  to  deploy,  notes  Gart¬ 
ner’s  Williams.  Costs  for  a  large  enterprise 
start  at  $300,000  and  can  rise  beyond 
$1  million  to  deploy,  since  storage  needs  can 
be  multiple  terabytes  and  require  an  infor¬ 
mation  management  system.  The  actual 


deployment  can  take  up  to  six  months  if  it 
involves  custom  development,  which  is  often 
the  case.  Over  time,  the  tools  will  become 
more  standardized  and  thus  easier  to  deploy 
as  vendors  see  broad  patterns  from  the  cus¬ 
tom  deployments,  Williams  notes.  But  today, 
the  high  costs  have  limited  the  tools’  adoption 
mainly  to  regulated  enterprises  or  ones  where 
fraud  costs  more  than  its  prevention,  he  says. 
For  more  on  the  different  EDD  tools  that  are 
available,  go  to  zvww.cio.com/041S06. 

EDD  tools  can  be  part  of  an  overall  security 
and  compliance  effort,  but  by  themselves, 
EDD  tools  are  barely  Band-Aids— unless,  of 
course,  you’re  just  making  a  pro  forma, 
“eover-your-ass  investment,”  says  Gartner’s 
Litan.  That  kind  of  lip-service  monitoring 
and  analysis  may  help  you  complete  a  check¬ 
list  to  impress  naive  shareholders,  but  it  won’t 
really  help  your  company,  says  Good  Har¬ 
bor’s  Schwalm.  After  all,  as  Summers  of 
Unisys  notes,  “most  companies  already  do 
logs,  but  no  one  looks  at  them.”  BE1 


Galen  Gruman,  principal  of  the  Zango  Group  and 
a  regular  contributor  to  CIO,  can  be  reached  at 
ggruman@zangogroup.  com . 


Having  lots  of  monitoring  systems  isn’t 
that  useful  if  you  don’t  know  where  to 
focus  your  attentions. 
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care  about  ONE  ANSWER 
j  -  the  right  one. 


Now  you  can  deliver  the  data  consistency  your  organization  demands. 

Cognos  8  Business  Intelligence  is  the  only  solution  with  the  advanced  architecture  that 
guarantees  a  consistent,  comprehensive  view  of  information  across  your  enterprise. 

It’s  a  single  product  with  all  BI  capabilities  —  reporting,  analysis,  dashboarding  and  scorecarding. 
With  a  single  query  engine  and  centralized  metadata  layer  that  guarantee  data  consistency. 

And  a  single  web-services  based  SOA  that  seamlessly  integrates  into  your  environment. 

All  of  which  means  that  when  your  executives  ask  questions,  they  get  consistent  answers. 

Visit  www.cognos.com/oneanswer  today. 
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Patricia  Wallington 


TOTAL  LEADERSHIP 


Toxic! 

Some  leaders  are  so  bad,  they  can  poison  a  company.  Here’s  how  to  spot  them, 
and  what  you  can  do  about  them. 


Working  for  some  leaders  is  as  painful  as  tak¬ 
ing  a  full  dose  of  poison.  Their  behavior  is  so 
bad  it  is  toxic  to  their  organizations.  You 
know  the  type:  More  of  a  despot  than  a  leader, 
he  pits  employees  against  each  other  and  paralyzes  the  organ¬ 
ization  with  fear. 

Sometime  during  your  career  you  may  have  encountered 
such  a  toxic  leader,  or  maybe  you  see  signs  now  of  one  emerg¬ 
ing  in  your  company  (hopefully  you  aren’t  one  yourself).  Here’s 
how  to  spot  one,  how  to  protect  yourself  and  your  team  from  his 
venom,  and  how  to  nip  an  emerging  toxic  leader  in  the  bud. 

The  Markings  of  a  Toxic  Boss 

Toxic  leaders  share  some  common  traits.  They  often  have  a 
rigid  commitment  to  an  idealized  goal.  They  view  challenges 
to  their  vision  as  akin  to  treason.  Either  you’re  with  such  a 
leader,  unquestioningly,  100  percent,  or  you’re  the  enemy. 

The  poisonous  leader  is  arrogant;  in  her  mind,  she  is  always 
right,  and  she  takes  input  only  from  a  limited  group  of  yes-men 
and  -women.  Her  chosen  few  get  information,  but  no  one  else 
does,  and  so  there  is  no  discussion  about  the  work  being  done. 

Retribution  from  such  a  leader  is  swift  for  those  not  aggres¬ 
sively  supportive  of  his  decisions.  He  treats  employees  coldly, 
even  cruelly.  He  assigns  blame  without  regard  to  responsi¬ 
bility,  and  takes  all  the  credit  for  himself.  I  once  had  such  a 
boss,  and  he  gave  me  a  new  definition  of  shared  risk:  If  some¬ 
thing  I  did  was  successful,  he  took  the  credit.  If  it  wasn’t,  I  got 
the  blame.  Painful  as  this  was,  I  learned  a  lot  during  his  short 
tenure.  He  was  my  first  negative  role  model.  Fortunately,  I  was 
able  to  move  on,  and  he  left  the  company. 


ILLUSTRATION  BY  THE  HEADS  OF  STATE 
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Fujitsu  PRIAiEQUEST™  Servers  with  Intel®  Itanium®  2  Processors ♦ 

Mainframe  Reliability .  Sized  for  the  Mainstream . 


For  decades,  CIOs  have  trusted 
Fujitsu  mainframes  to  run  their  mission- 
critical  applications.  Now  you  can 
get  the  same  robust  engineering  and 
innovative  design  with  the  highly  reliable, 
high  performance  Fujitsu  PRIMEQUEST 
servers  featuring  Intel®  Itanium®  2  Processors. 
Designed  for  Microsoft®  Windows®  and 
Linux®  environments  to  run  mission  critical 


System  Mirror 

PRIMEQUEST  servers  offer  the  ability  to  run 
memory  and  crossbars  as  mirrored  pairs.  This 
option,  enabled  via  the  Dual  Synchronous 
Architecture  in  PRIMEQUEST  servers,  provides 
fault  immunity  for  the  hosted  operating  system 
and  applications.  The  use  of  System  Mirror 
transparently  guards  against  hardware  errors 
that  could  otherwise  cause  a  system  panic. 


applications,  PRIMEQUEST  servers 
harness  the  power  and  performance 
of  up  to  32  Intel®  Itanium®  2  Processors, 
to  easily  accommodate  your  largest 
applications.They  are  designed  with  integrated 
networking  and  management  features  for 
simplicity  and  offer  flexible  I/O  and  partitioning 
that  enhances  your  agility  to  respond  to 
dynamic  business  requirements. 


To  learn  more  about  how  Fujitsu  PRIMEQUEST  servers  bring  mainframe  reliability  to  mainstream  environments, 


visit  us.fujitsu.com/computers/PRIMEQUEST  or  call  I -800-83  I -3 1 83. 
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Patricia  Wallington  total  leadership 


Why  leaders  behave  this  way  is  the  subject  of  much  specu¬ 
lation.  Some  people  attribute  it  to  greed,  not  just  for  money  but 
for  power  or  recognition.  Incompetence  can  also  drive  the 
toxic  leader’s  behavior,  as  his  fear  of  being  “found  out”  influ¬ 
ences  his  interactions  with  others. 

The  Toll  of  Venomous  Leadership 

Poisonous  leaders  sap  the  strength  of  their  organizations. 
Their  demand  for  loyalty  causes  employees  to  fear  whether 
they  are  doing  something  the  leader  will  deem  to  be  wrong.  In 
this  demoralizing  and  dehumanizing  atmosphere,  the  toxic 
leader  may  drive  the  organization  into  paralysis.  Employees 
will  stop  thinking  creatively;  their  productivity  will  decline, 
and  they  will  miss  their  goals.  In  extreme  cases,  employees 
desperate  to  please  their  leader  and  keep  their  jobs  will  slide 
into  unethical  behavior  or  outright  corruption. 

One  might  question  why  such  behavior  is  tolerated.  First,  it 
is  not  uncommon  for  toxic  traits  to  be  hidden  behind  a  mask 
of  charisma.  Toxic  leaders  are  actors,  playing  a  role  to  achieve 
their  self-styled  goal.  Second,  in  many  companies  business 
success  tends  to  overshadow  personal  weaknesses. 

In  one  organization  where  I  worked,  a  senior  executive  con¬ 
sistently  bullied  his  employees,  yet  he  was  charming  to  those 
above  him.  Even  after  his  superiors  witnessed  the  behavior, 
nothing  was  done  about  it  because  he  always  delivered  his 
profit  goals.  Only  after  his  staff  turned  over  significantly  and 
he  missed  his  goals  did  he  face  any  consequences.  He  wasn’t 
fired.  Instead,  he  worked  with  a  coach  and  changed  his  lead¬ 
ership  approach  dramatically.  This  outcome  suggests  that  an 
organization  risks  encouraging  toxic  leadership  by  reward¬ 
ing  results  and  ignoring  how  they  were  achieved. 

A  Survival  Guide 

If  you’re  faced  with  a  toxic  leader  (whether  or  not  he’s  your 
boss),  you  can  survive.  But  you  will  need  a  strategy  to  do  so. 

First,  you  have  to  decide  whether  to  stay  or  leave.  Your  per¬ 
sonal  circumstances  may  require  you  to  stay.  If  leaders  are 
rotated  frequently  in  your  company,  you  could  wait  out  the  poi¬ 
son  leader’s  tenure.  Or  your  own  skills  and  reputation  may  be 
strong  enough  so  that  you’re  not  damaged  by  the  abuse  you  get. 

Once  you  decide  to  stay,  you  will  need  to  decide  whether  to 
confront  the  behavior  or  lay  low.  Trying  to  counsel  the  boss  is 
likely  to  work  only  if  you’re  already  in  the  inner  circle,  and  only 
if  he  decides  to  listen  to  you  instead  of  cutting  you  off  from  the 
group.  Joining  with  others  to  confront  him  carries  similar 
risks.  Only  you  can  decide  how  far  to  go.  If  you  decide  to  take 
on  the  leader,  make  sure  you  have  all  the  relevant  facts,  pick  an 
appropriate  time  and  place  for  the  confrontation,  and  have  a 
plan  for  bringing  the  issues  forward. 

Meanwhile,  you  can  find  support  from  other  executives  in 
the  organization  by  strengthening  those  relationships.  Take 
steps  to  establish  your  independence.  Never  defend  the  ruth- 
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If  you  have  a  toxic 
leader  emerging  in  your 
organization,  you  can  turn 

him  on  a  different  path. 

less  behaviors.  Outside  of  work,  find  uplifting  activities  to 
nurture  your  self-esteem. 

Whatever  you  do,  buffer  your  people  from  the  toxic  leader. 
Defend  them  against  any  hits  that  come  from  above.  I  once 
saw  a  manager  sit  quietly  and  allow  a  member  of  his  staff  to  be 
pummeled  by  abusive  questioning  during  a  presentation.  How 
cowardly  was  this  manager  that  he  couldn’t  step  in  and  deflect 
the  criticism?  Fear  of  retribution  may  tempt  you  to  duck  this 
responsibility,  but  good  leaders  do  not  abandon  their  people. 
Let  integrity  and  courage  lead  you  to  the  honorable  thing. 

Detoxifying  the  Next  Generation 

Toxic  leaders  aren’t  born,  they’re  shaped  by  their  experiences. 
If  you  have  one  emerging  in  your  organization,  you  can  turn 
him  on  a  different  path.  You  can  recognize  an  emerging  toxic 
leader  by  these  signs: 

■  Self-centeredness.  An  employee  is  willing  to  harm  others  in 
order  to  come  out  on  top. 

■  Messianic  visions.  The  employee’s  vision  seems  impossible 
to  achieve,  or  she  positions  misguided  actions  as  attempts  to 
achieve  a  noble  cause,  and  she  won’t  take  advice. 

■  Arrogance.  He  displays  disdain  for  others. 

■  Blame-shifting.  I  saw  one  executive  order  a  “take  no  prison¬ 
ers”  approach  to  setting  and  enforcing  a  technology  standard, 
then  disavow  the  “noncollegial”  style  of  his  employee,  leaving 
her  to  repair  her  reputation  alone. 

Redirect  these  rising  leaders  by  making  your  expectations 
for  behavior  clear  to  everyone  in  your  organization.  Investigate 
low  morale,  and  attack  its  causes.  Ensure  that  performance 
reviews  document  toxic  behavior,  and  make  sure  offenders 
know  that  mistreating  others  is  going  to  short-circuit  their 
careers.  Promote  and  recognize  those  leaders  who  demon¬ 
strate  nontoxic  behaviors. 

Finally,  set  an  example.  Most  leaders  are  neither  good  nor  bad 
always,  in  all  things.  Recognize  your  weaknesses  and  work  on 
eliminating  them.  Be  someone  who  is  able  to  take  advice.  Demon¬ 
strate  integrity.  Work  unfailingly  for  the  benefit  of  your  team. 
Toxic  leaders’  victories  are  often  short-lived.  Avoiding  and  defend¬ 
ing  against  toxic  behaviors  should  lead  you,  and  those  who  follow 
you,  down  the  path  to  sustained  success.  BE! 


Before  retiring  in  1999,  Patricia  Wallington  was  cor¬ 
porate  vice  president  and  CIO  at  Xerox.  She  is  now 
president  of  CIO  Associates  in  Sarasota,  Fla.  Send 
feedback  to  leadership@cio.com. 


TOYOTA  MOTQRSPORT  FOUND  THAT  BUSINESS  SERVICE  MANAGEMENT 
PUT  BOTH  THEIR  I.T.  SOLUTIONS  AND  THEIR  FORMULA  ONE  RACECARS  IN  THE 

POLE  POSITION 


And  it  all  began  with  the  leadership  of  BMC  Software.  From  real-time,  track-side  data 
feeds  to  accelerated  design  processes,  our  BSM  solutions  helped  Toyota  Motorsport  align 
IT  systems  with  business  and  racing  objectives. That's  the  power  of  BSM.  It's  not  just 
about  technology.  It's  about  how  technology  can  activate  your  business.  By  slashing  costs, 
ramping  up  revenue  and  mitigating  risk,  BMC  Software  can  give  you  fast,  predictable  results. 
Just  askToyota  Motorsport,  or  the  hundreds  of  other  companies  who  are  reaping  the 
benefits  of  BSM. Then,  take  the  first  step  toward  activating  your  own  business. The  card 
below  is  the  place  to  start. 


Call  an  expert  or  log  on  today 
to  put  BSM  to  work  for  you. 


Dave  Jenkins 

Business  Service  Management 

Solution  Center 

<bmc$oftware 

2101  CityWest  Blvd 

Houston,  Texas  77042 

800  596  2154 

www.bmc.com/starthere3 

ACTIVATE  BUSINESS 

WITH  THE  POWER  OF  I.T™ 


<bmcsoftware 


Michael  Schrage 


IT'S  ALL  ABOUT  THE  EXECUTION 


The  Value  Inside 

CIOs  should  be  treating  success  with  an  application  as  an  invitation  to  see  what  else  the 
software  can  do  for  their  business 


Success  can  be  a  trickster;  be  wary.  While  I  was 
moderating  a  customer  advisory  board  workshop 
for  the  software  division  of  a  giant  technology  com¬ 
pany,  a  disturbing  observation  dawned  on  everyone 
in  our  poorly  air-conditioned  conference  room:  The  software 
we  were  all  there  to  improve  could  do  much  more  than  even 
its  most  loyal  users  dreamed  of,  yet  that  extra  capability  was 
almost  never  tapped. 

The  division’s  leadership  heard  story  after  story  of  how  their 
software  did  a  terrific  job  of  solving  one  problem,  yet  was  never 
considered  as  a  possible  solution  for  any  other  business  prob¬ 
lem.  Somehow,  the  software’s  early  success  had  branded  it  a  use¬ 
ful  “point  solution”  rather  than  an  innovative  platform  for  an 
array  of  apps.  For  example,  while  the  software  was  superb  for 
both  mass  and  custom  distribution  of  e-mails  and  PDFs,  it 
could  also  handle  global  distribution  of  richer  media  formats— 
streaming,  for  instance.  But  clients  were  not  even  aware  of  the 
greater  capability.  In  fact,  this  server  software,  with  minor  mod¬ 
ifications,  was  explicitly  designed  to  deal  with  the  bulk  of  the 
business  and  technical  issues  its  users  had  deemed  critical. 

Why  did  early  success  blunt  enhanced  adoption?  Com¬ 
munication  was  part  of  the  problem.  People  just  didn’t  see  the 
links  between  digital  formats,  and  the  vendor  didn’t  know 
enough  about  its  customers’  specific  business  needs  to  point 
out  how  the  software  could  address  them.  While  it  was  true 
the  software  would  have  to  be  tweaked  to  custom-support 
specific  needs,  the  vendor  actually  had  tools  that  made  cus¬ 
tomization  cheap  and  easy.  But  again,  the  customers  didn’t 
understand  what  was  available. 

Bottom  line?  The  software  was  a  victim  of  its  early  success. 
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How  can  you  protect  your  network 
and  your  peace  of  mind? 

J  I 

(We've  got  the  answer.) 


Confidence.  When  it  comes  to  security  information  or  anything  else  in  technology,  CDW  delivers  just  that.  That's  why  we 
give  you  a  trained,  dedicated  account  manager,  who  knows  your  technology  set  up  and  the  products  we  carry.  So  when 
you  call  you  get  faster,  more  insightful  answers.  That's  also  why  we  have  industry-certified  technology  experts  available. 
As  well  as  technical  support  anytime  you  need  it.  Add  in  access  to  the  industry's  largest  in-stock  inventories  and  fast 
delivery,  and  you've  got  a  technology  resource  that's  a  little  different.  It's  one  you  can  count  on. 
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IT'S  ALL  ABOUT  THE  EXECUTION 


The  customers  clearly  liked  it— why  else  join  the  advisory 
board?— but  the  package  was  woefully  undervalued  and 
underutilized.  The  point  solution  perception  actually  under¬ 
mined  its  potential  as  an  enterprise  business  process  plat¬ 
form.  Oh,  the  irony!  The  software  had  been  unfairly  “niched.” 

At  a  major  software  company’s  CIO  conference  barely  a 
month  later,  it  was  deja  vu  all  over  again.  Fortune  1000  IT 
leaders  took  turns  telling  their  host’s  senior  management  that 
the  vendor’s  enterprise  software  was  underuti¬ 
lized.  Business  process  owners  and  line  executives 
inside  their  companies  kept  looking  for  alternate 
software  solutions  to  business  needs  when  the  ven¬ 
dor’s  existing  software  could  accomplish  most 
everything  required— and  more. 

“You  need  to  make  it  easier  for  us  to  utilize  all  the 
software  we  license  from  you,”  one  CIO  told  the  vendor  hosting 
the  conference.  “Otherwise,  our  people  are  just  going  to  go  out 
and  buy  the  software  they  think  they  need  from  someone  else.” 

Indeed,  the  common  theme  of  these  vignettes  turns  out  to  be 
a  problem  throughout  enterprise  computing.  Organizations  in 
general— and  IT  in  particular— are  underachievers  in  extracting 
full  value  from  the  systems  they  acquire  and  deploy.  They’re 
too  satisfied  with  initial  success.  For  confirmation,  you  have  to 

look  only  as  far  as  your  own 
desktop.  The  overwhelming 
majority  of  people  use  a 
fraction  of  the  power  and 
potential  of,  say,  Microsoft 
Office  or  Google.  Survey 
after  survey  reveals  that 
managers  typically  use  less 
than  15  percent  of  the  func¬ 
tionality  of  PowerPoint  or  Excel.  A  recent  IT  survey  by  a  Fortune 
50  company  showed  that  not  even  10  percent  of  the  employees 
over  the  age  of  35  used  the  corporate  e-mail  filtering  function. 

How  Vendors  Discourage  Experimentation 

Now  ask  yourself,  What  portion  of  our  “application  backlogs”  are 
a  function  not  of  unwritten  code  but  of  unused  or  undeployed 
software  features  and  functionality  that  are  simply  unknown  or 
untaught  to  users?  My  bet?  At  least  half,  probably  more. 

Why  do  I  so  confidently  assert  this?  Because  I’ve  seen  it 
with  my  own  eyes.  Fifteen  years  ago,  everyone  in  the  industry 
joked  about  the  unfulfilled  promises  of  overhyped  “vapor¬ 
ware.”  Today,  there  is  not  a  major  enterprise  software  pack¬ 
age— or  a  desktop  app  (Web-based  or  not)— that  doesn’t  have 
far  more  features  and  functionality  than  75  percent  of  its  users 
need.  Are  there  vendors  who  fail  to  deliver?  Of  course,  and 
there  always  will  be.  But  the  reality  is,  for  most  organizations, 
a  greater  variety  of  “off-the-shelf”  choices  with  more  built-in 
functionality  exists  than  ever  before. 

Yes,  there  will  always  be  circumstances  that  require 


workarounds  and  custom-coding  and  special  subroutines 
and  so  on.  However,  too  many  IT  groups  (and  their  internal 
customers)  haven’t  thought  through  how  they  can  tap  exist¬ 
ing  software  portfolios  to  better  meet  business  needs. 

Now  I’m  the  first  to  acknowledge  that  many  vendors— you 
know  who  they  are,  they  know  who  they  are— have  stupid,  coun¬ 
terproductive  licensing  policies  that  discourage  willing  cus¬ 
tomers  from  getting  greater  value.  Shame  on  them!  But  when 


you  look  at  the  rate  of  open-source  evolution  and  how  once- 
simple  servers  that  handle  transactions  are  becoming  more 
multidimensional,  savvy  CIOs  have  to  ask:  How  well  do  we 
really  know  what  our  software  and  systems  are  capable  of 
doing  if  we’re  really  prepared  to  be  clever  about  them?  Are 
we  adequately  building  on  success? 

CIOs  need  to  audit  the  early  wins  and  encourage  people  to 
use  them  as  springboards.  The  implementation  challenge 
shifts  when  we  think  less  about  reaching  for  something  “new” 
to  solve  problems  than  rethinking  how  we  should  tap  what  we 
possess.  Yes,  many  vendors  do  a  lousy  job  of  documenting  or 
explaining  their  offerings.  And  sometimes  it’s  easier  to  look 
for  another  point  solution  to  solve  a  new  problem. 

But  if  we’ve  already  learned  to  run  a  package  that  cost- 
effectively  delivers  the  goods,  why  not  build  on  it  if  the  price  is 
right?  Building  on  the  right  experiences  is  better  economics 
than  acquiring  novelties  that  will  inevitably  pose  their  own 
unique  challenges  anyway. 

Sitting  in  that  airless  room  with  a  genuinely  committed  vendor 
and  genuinely  committed  customers  reinforced  a  simple  but 
hard-won  truth:  Build  on  what  works,  and  treat  early  success 
as  an  invitation  to  innovate— not  as  a  sign  that  the  problem  has 
been  solved.  Vendors  need  to  push  their  sales  and  support  peo¬ 
ple  to  explain  how  usage  can  evolve  over  time,  not  just  how 
best  to  solve  the  problem  du  jour.  And  CIOs  need  to  do  a  better 
job  of  reaching  out  to  their  business  units  and  working  with 
them  to  help  identify  the  features  and  functionality  they  need, 
and  then  unlock  those  features  from  the  software  they  already 
own  or  lease. 

The  true  test  of  our  stewardship  is  not  just  how  well  software 
is  used  but  whether  we’re  getting  the  full  value  that  we  should. 
That’s  not  just  a  technology  leadership  test;  it’s 
a  business  leadership  challenge.  QE1 


Michael  Schrage  is  codirector  of  the  MIT  Media 
Lab’s  eMarkets  Initiative.  He  can  be  reached  via 
e-mail  at  schrage@media.mit.edu. 


Organizations  in  general— and  IT 
in  particular— are  underachievers 
in  extracting  full  value  from  the 
systems  they  acquire. 


Add  a  Comment 


Is  an  attitude  of  complacency  obvious  in 
your  company?  And  if  so,  what  are  you 
doing  about  it?  Share  your  hard-earned 
wisdom  with  Michael  Schrage.  Find  the 
comments  box  on  the  online  version  of  this 
article.  Go  to  www.cio. com/041505. 
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MORE  THAN  65%  OF  SAP  CUSTOMERS  ARE  SMALL  OR  MIDSIZE  COMPANIES.* 

You  don’t  have  to  be  a  big  company  to  face  big  challenges.  Or  to  have  big  expectations.  That’s  why  thousands  of 
small  and  midsize  companies  around  the  world  maximize  their  advantage  with  flexible,  affordable  and  proven 
software  from  SAP.  Find  out  how  SAP,  together  with  our  network  of  qualified  channel  partners,  can  be  a  good  fit 
for  your  business  —  w  hatever  its  size.  Visit  sap.com/yoursize 
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•Among  Dun  &  Bradstreet,  Inc.  listed  companies  with  employee  number  information.  Small  and  midsize  companies  are  defined  as  those  having  between  1  and  2.500  employees, 
and  include  customers  of  mySAP™  All-in-One  and  SAP'  Business  One  solutions  sold  through  resellers. 
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After  the  Storm 

Even  though  this  Mississippi-based  CIO  lost  everything  in  Hurricane  Katrina,  the 
disaster  gave  her  a  newfound  appreciation  for  the  coworkers  who  rallied  around  her 

BY  JAN  RIDEOUT 

I  loved  living  on  the  Mississippi  coast.  I  arrived  in 
December  2001  to  be  CIO  for  a  $3  billion  division  of 
Northrop  Grumman,  which  builds  military  warships 
in  Pascagoula,  Miss.,  and  New  Orleans.  As  a  native 
New  Yorker  and  having  just  moved  to  Mississippi  from  North¬ 
ern  California,  I  thought  this  would  be  just  another  stop  in  my 
career. 

I  was  wrong. 

After  living  on  the  Mississippi  coast  for  about  a  year,  I  told 
my  boss  (and  everyone  else  who  asked)  that  I  never  wanted  to 
move  again.  I  had  found  a  great  job  in  a  small-town  atmos¬ 
phere  devoid  of  traffic  and  pollution.  And  my  home  was 
directly  on  the  back  bay  of  Biloxi,  Miss.,  with  incredible  views 
of  the  water  and  wildlife  all  around.  Paradise  found! 

But  all  of  that  changed  on  Aug.  29,  2005,  with  the  arrival 
of  Hurricane  Katrina.  On  the  Saturday  evening  before  the 
storm  hit,  my  husband,  David,  and  I  discussed  evacuation 
plans.  Having  driven  10  hours  to  Tennessee  (with  our  three 
dogs  in  the  pickup  truck)  just  six  weeks  before  to  escape  Hur¬ 
ricane  Dennis,  we  were  both  reluctant  to  do  the  journey  again. 

We  considered  staying  at  a  local  motel,  but  when  we  awoke 
on  Sunday  morning,  Aug.  28,  the  storm  was  looking  too  dire 
for  us  to  remain  in  the  area.  I  went  online  and  found  a  hotel 
in  Bainbridge,  in  Southwestern  Georgia,  that  would  take  our 
dogs.  By  11  a.m.  we  were  fighting  the  traffic  driving  east. 

My  staff  had  spent  Friday  and  Saturday  doing  their  usual 
heavy-weather  preparation.  I  have  about  230  people  in  Mis¬ 
sissippi  and  Louisiana,  and  they’ve  been  through  the  drill 
many  times  before:  taking  backups,  sending  them  to  one  of  our 
data  centers  in  Dallas,  shutting  down  servers,  covering  them 
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TANDBERG 

A  Global  Leader  in  Visual  Communication 


You  can  be  in  two  places  at  once  — 
be  there  now. 

Be  across  the  street  or  across  the  globe  without  leaving  your  office.  With  TANDBERG 
video  communication  solutions,  you  can  control  your  schedule  and  create  a  stronger 
communication  connection  with  colleagues,  suppliers,  and  customers.  You  can  maximize 
every  minute.  If  you  want  the  best  technology,  highest  reliability  and  seamless 
integration  with  your  existing  business  tools,  there  is  really  only  one  choice:  TANDBERG. 


Call  HB  Communications,  Inc.  today  at  1.877.423.6728  to  schedule  a  personal  demonstration. 


www.tandberg.net 
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me. 

www.hbcommunications.com 


For  60  years  HB  Communications,  Inc.  has  been  the  Northeast’s  leading  provider  of  A V  solutions.  We  provide  custom  AV  integration  that 
works  within  your  IT  infrastructure.  Our  ongoing  commitment  to  presenting  new  ideas,  products  and  solutions  will  help  your  business 
succeed.  Let  our  knowledge  and  experience  work  for  you. 


HB... Connecting  People  and  Ideas  Through  Technology. 
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up  with  heavy-duty  plastic. 

Monday,  Aug.  29,  was  an  extremely  long  day— sitting  in  our 
tiny  motel  room,  watching  CNN  and  the  Weather  Channel  to 
get  a  sense  of  how  bad  the  storm  was.  My  BlackBerry  had  no 
signal  in  Bainbridge,  so  I  couldn’t  contact  anyone  either  by 
phone  or  e-mail.  When  we  saw  our  hometown  Comfort  Inn 
(which  was  where  we  originally  planned  to  stay)  with  part  of 
its  roof  blown  off,  we  knew  it  was  going  to  be  bad.  We  just  had 
no  idea  how  bad. 

The  Damage  Done 

By  Tuesday  afternoon,  I  was  on  a  plane  along  with  David 
to  Dallas,  where  my  boss,  Northrop  Grumman  CIO  Tom 
Shelman,  is  located.  After  settling  in  to  our  new  “hometel,”  I 
dashed  into  our  Dallas  office  to  join  the  efforts  to  set  up  an  IT 
command  center.  The  Pascagoula  center  was  flooded;  it  had  an 
eight-foot  watermark  in  the  building.  The  New  Orleans  data 
center,  while  intact  and  on  generator  power,  was  disconnected 
from  the  rest  of  world  due  to  extensive  problems  with  the  pub¬ 
lic  infrastructure.  In  addition,  mil¬ 
lions  of  dollars  of  information 
technology  infrastructure— net¬ 
works,  phones  and  desktops  out  in 
the  Pascagoula  shipyard— had  been 
destroyed. 

My  Northrop  Grumman  col¬ 
leagues  were  struggling  to  find  key  members  of  my  staff. 
Finally,  late  Tuesday,  I  was  able  to  get  a  call  through  to  one  of 
my  immediate  staff  who  lived  near  me.  He  had  been  evacuated 
from  his  home  early  Monday  morning  before  the  water  rose  too 
high  and  was  in  a  local  shelter.  Talking  to  him  brought  the 
reality  of  my  situation  home.  He  informed  me,  as  gently  as 
possible,  that  it  was  very  likely  that  the  area  I  lived  in  was 
completely  destroyed.  I  sank  to  the  floor  in  despair.  If  what  he 
was  saying  was  true,  I  had  just  lost  everything  I  owned. 

The  next  day,  my  husband,  who  also  works  for  Northrop 
Grumman,  boarded  one  of  the  company’s  many  corporate 
planes  bringing  supplies  and  equipment  to  the  region.  He  was 
met  by  one  of  my  employees  who  was  generous  enough  to 
drive  him  to  our  house.  Prior  to  his  arrival,  another  one  of  my 
staff  had  made  his  way  over  to  our  home  and  finally  got 
through  to  me  on  his  cell  phone. 

“Tell  your  husband  not  to  come,”  he  said.  “There’s  nothing 
here.” 

I  took  the  day  off  to  absorb  the  shock.  I  knew  I  had  to  take 
some  time  to  grieve.  I  took  the  opportunity  to  get  a  few  decent 
outfits,  as  all  I  had  taken  when  I  left  Mississippi  was  a  pair  of 
jeans,  some  sweats  and  a  pair  of  Birkenstocks.  My  entire 
wardrobe  was  now  in  the  Gulf  of  Mexico. 

Picking  Up  the  Pieces 

Gradually,  we  began  to  make  contact  with  other  staff  members 


in  the  area.  But  what  we  found  was  that  we  had  to  take  care  of 
their  basic  needs,  such  as  food,  water  and  gasoline,  in  order  to 
get  them  in  a  position  where  they  could  help.  Volunteers  from 
Dallas  drove  RVs  loaded  with  supplies  down  to  the  coast. 

My  own  basic  needs  focused  on  finding  a  place  to  live.  After 
being  stationed  with  Dave  and  the  dogs  in  Dallas  for  two  weeks, 
we  drove  back  to  Mississippi.  We  moved  into  one  of  the  travel 
trailers  Northrop  Grumman  had  sent  down  to  house  employ¬ 
ees.  Finding  a  house  to  rent  was  extremely  difficult.  Any 
undamaged  housing  in  the  area  was  snatched  up  sight  unseen. 
After  two  weeks  of  relentless  searching,  we  finally  found  a 
rental  in  Mobile,  Ala. 

In  the  meantime,  IT  employees  from  Texas,  Florida,  Mary¬ 
land,  California  and  several  other  locations  joined  forces  with 
the  local  Mississippi  and  Louisiana  staff  to  help  pull  off  a  mir¬ 
acle.  Two  weeks  after  Katrina  hit,  the  shipyard  in  Pascagoula 
reopened  and  we  had  basic  systems,  such  as  the  system  for 
employees  to  clock  in  and  out,  ready  and  working. 

Approximately  six  weeks  after  the  storm,  95  percent  of  the 


application  systems  had  been  restored.  People  who  had  lost 
everything  continued  to  make  the  restoration  of  the  shipyard 
systems  a  priority.  In  Pascagoula,  nearly  the  entire  IT  staff 
showed  up  for  work  almost  every  day.  One  of  my  direct  reports 
stayed  in  her  home  for  the  storm,  and  when  her  windows 
started  breaking  and  the  waters  began  to  rise,  she  and  her 
family  had  to  swim  to  safety.  They  spent  five  hours  in  the  flood 
waters.  But  she  had  put  her  BlackBerry  in  a  Ziploc  bag.  She 
stayed  in  contact  and  showed  up  for  work  the  next  day.  I  am  for¬ 
ever  grateful  to  all  the  colleagues  who  rallied  around  me  in  this 
time  of  difficulty. 

It’s  now  almost  eight  months  since  the  hurricane,  and  we  are 
still  rebuilding  some  of  the  shipyard’s  IT  infrastructure.  The 
contents  of  my  home  still  lie  strewn  on  my  property.  We  under¬ 
stand  it  will  likely  be  years  before  we  can  even  start  to  rebuild. 

Every  day,  I  miss  my  home,  the  gorgeous  sunsets  and  the  pel¬ 
icans  flying  by.  I  miss  my  “things”:  my  furniture,  my  clothes 
and  my  jewelry.  But  perhaps  as  compensation,  I  have  a  new¬ 
found  appreciation  for  other  things.  I’ve  come  to  realize  that  the 
friendship,  support  and  love  of  my  coworkers  is  a  gift  I  will 
never  again  take  for  granted,  ram 


Jan  Rideout  (Jan.rideout@ngc.com )  is  CIO  of  the 
Ship  Systems  Sector  at  Northrop  Grumman.  Please 
send  comments  to  Executive  Editor  Alison  Bass  at 
abass@cio.com. 


Every  day,  I  miss  my  home,  the  gorgeous 
sunsets  and  the  pelicans  flying  by. 
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Craig  Hitchings  (left),  director 
of  IT  for  Maine's  Department 
of  Human  Services,  and  Dick 
Thompson,  now  CIO  for  the 
state,  gambled  that  building  a 
brand  -new  Web  services  system 
would  Improve  the  processing 
of  Medicaid  claims. 


Maine’s  attempt  to  build  a  new 
Medicaid  claims  processing  system 
is  a  classic  example  of  how  not  to 
run  a  massive  project 

On  Friday,  Jan.  21, 2005, 

the  state  of  Maine  cut  the  ribbon  on  its  new,  Web-based  Maine  Medicaid  Claims  Sys¬ 
tem  for  processing  $1.5  billion  in  annual  Medicaid  claims  and  payments.  The  new 
$25  million  program,  which  replaced  the  state’s  old  Honeywell  mainframe,  was 
hailed  as  a  more  secure  system  that  would  clear  claims  faster,  track  costs  better  and 
give  providers  more  accurate  information  on  claims  status. 

But  within  days  of  turning  on  the  new  system,  Craig  Hitchings  knew  that  some¬ 
thing  was  seriously  wrong. 

There  had  been  problems  right  from  the  start— an  unusually  high  rate  of  rejected 
claims— but  Hitchings,  director  of  information  technology  for  the  state  of  Maine’s 
Department  of  Human  Services  (DHS),  had  assumed  they  were  caused  by  providers 
using  the  wrong  codes  on  the  new  electronic  claim  forms.  By  the  end  of  the  month, 
he  wasn’t  so  sure.  The  department’s  Bureau  of  Medical  Services,  which  runs  the 
Medicaid  program,  was  being  deluged  with  hundreds  of  calls  from  doctors,  den¬ 
tists,  hospitals,  health  clinics  and  nursing 
homes,  angry  because  their  claims  were  not 
being  paid.  The  new  system  had  placed  most 
of  the  rejected  claims  in  a  “suspended”  file  for 
forms  that  contained  errors. 

Tens  of  thousands  of  claims  representing 
millions  of  dollars  were  being  left  in  limbo. 

Hitchings’  team— about  15  IT  staffers  and 
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1.  Scope  OUt  a  detailed  plan.  Describe  what  the  system  must,  do  for  users 
and  how  you  will  measure  the  performance  of  the  system  and  its  output. 

2.  Watch  out  for  bad  RFP  bids  .  A  low  number  of  bids  or  bids  that  are  not 
within  an  acceptable  range  suggest  that  the  requirements  have  not  been  properly 
communicated  or  are  unrealistic. 

3.  Plan  ahead.  Line  up  subject  matter  experts  who  know  the  business  processes 
for  the  new  system  and  can  provide  guidance  to  developers  and  programmers  during 
buildout.  Assign  a  business  expert  full-time,  or  nearly  full-time,  to  the  implementation. 
Create  a  steering  committee  that  includes  subject  matter  experts  and  developers, 
and  meet  frequently. 

4.  Find  the  bottleneck.  You  can  develop  a  system  only  as  fast  as  it  takes  to  build 
the  most  complicated  component.  Many  times  the  delay  is  not  from  writing  code, 

but  rather  something  else,  such  as  finding  time  with  a  subject  matter  expert.  So,  resist 
hiring  more  programmers  to  speed  up  the  development  process  until  you  analyze  what 
is  slowing  down  the  project  and  focus  resources  there. 

5.  Do  not  cut  corners  on  testing.  The  last  thing  you  want  to  do  is  ignore 
critical  pilot  tests  and  end-to-end  tests.  Ultimately,  such  corner-cutting  will  result  in 
longer  delays  later.  If  you  need  more  time,  ask  for  it,  and  defend  why  you  need  it. 

6.  Develop  a  backup  system.  If  replacing  a  legacy  system,  make  sure  the 
users  can  fall  back  to  the  old  system  if  the  new  system  fails  and  needs  to  be  reworked. 

7.  Prepare  other  contingency  plans.  As  part  of  your  backup  plan,  be 
prepared  to  communicate  with  system  users  so  that  they  can  use  the  backup  system 
and  know  what  is  expected  of  them. 

8.  Train,  train  and  train.  Provide  frequent  training  for  internal  staff  on  new 
business  processes  and  system  requirements,  including  what  must  be  done  in  case 
of  a  system  failure.  Train  call  center  staff  on  how  to  manage  users'  questions. 

Train  users  on  howto  use  the  system  and  what  they  should  do  in  case  of  failure. 

9.  Honesty  is  your  best  policy.  In  case  of  failure,  provide  honest  answers  to 
users  and  staff.  Do  not  make  promises  that  you  do  not  know  you  can  keep. 

10.  Triage  fixes.  In  fixing  a  flawed  system,  prioritize  fixing  those  requirements 

that  have  the  biggest  impact  on  users  and  that  provide  basic,  needed  functionality. 
Come  back  to  the  bells  and  whistles  later.  -A.H. 


about  4  dozen  employees  from  CNSI,  the  con¬ 
tractor  hired  to  develop  the  system— were 
working  12-hour  days,  writing  software  fixes 
and  performing  adjustments  so  fast  that  Hitch- 
ings  knew  that  key  project  management  guide¬ 
lines  were  beginning  to  fall  by  the  wayside. 

And  nothing  seemed  to  help. 

Day  after  day,  the  calls  kept  coming.  The 
bureau’s  call  center  was  so  backed  up  that  many 
providers  could  not  get  through.  And  when  they 
did,  they  had  to  wait  on  the  phone  for  a  half  hour 
to  speak  to  a  human. 

By  the  end  of  March,  the  number  of  Medic¬ 
aid  claims  in  the  suspended  bin  had  reached 
approximately  300,000,  and  the  state  was 
falling  further  and  further  behind  in  its  abil¬ 
ity  to  process  them.  With  their  bills  unpaid, 
some  of  Maine’s  262,000  Medicaid  recipients 
were  turned  away  from  their  doctors’  offices, 
according  to  the  Maine  Medical  Association. 

Several  dentists  and  therapists  were  forced  to 
close  their  doors,  and  some  physicians  had  to 
take  out  loans  to  stay  afloat.  With  the  Medic¬ 
aid  program  accounting  for  one-third  of  the 
entire  state  budget,  Maine’s  finances  were  in 
shambles,  threatening  the  state’s  financial  sta¬ 
bility  and  its  credit  rating.  Yet  Hitchings  was 
at  a  loss  to  explain  what  was  causing  all  the 
suspensions. 

And  every  day  brought  hundreds  more. 

Today,  more  than  a  year  later,  it’s  fair  to  say 
that  the  Maine  Medicaid  Claims  System  proj¬ 
ect  has  been  a  disaster  of  major  proportions. 

Since  the  new  system  went  live,  it  has  cost  the 
state  of  Maine  close  to  $30  million.  The  fall¬ 
out  has  been  broad  and  deep.  In  December 
2005,  Jack  Nicholas,  the  commissioner  of  the 
DHS  who  oversaw  the  project,  resigned. 

As  of  press  time,  Maine  is  the  only  state  in  the 
union  not  in  compliance  with  the  Health  Insur¬ 
ance  Portability  and  Accountability  Act  of  1996 
(HIPAA)— a  striking  irony  given  that  the  new  system  was  designed 
to  facilitate  that  compliance.  Although  federal  authorities  have 
said  they  will  work  with  the  state  in  extending  the  deadline,  the  fail¬ 
ure  has  been  a  black  eye  on  Maine’s  ability  to  manage  the  health 
of  hundreds  of  thousands  of  its  residents.  And  it  has  become  an 
issue  in  this  year’s  race  for  governor. 

State  IT  officials  say  they  have  fixed  most  of  the  bugs  in  the  new 
Web  services  system  and  that  it  is  now  processing  85  percent  of 
claims  (although  physician  groups  dispute  this).  With  20/20  hind¬ 
sight,  they  can  now  look  back  and  see  where  the  project  went 
wrong.  Hiring  a  vendor,  CNSI,  that  had  no  experience  in  develop¬ 
ing  Medicaid  claims  systems  was  the  first  mistake.  And  that  was 
compounded  by  the  decision  to  build  a  new  and  relatively  unproven 


technology  platform  for  the  entire  system  rather  than,  as  other 
states  have  done,  integrating  a  Web-based  portal  with  back-end 
legacy  systems.  Thirdly,  IT  switched  over  to  the  new  system 
overnight  with  no  backup  system  in  case  something  went  wrong. 
And  making  matters  worse,  no  end-to-end  testing  or  training  was 
conducted  before  the  switch  over.  Indeed,  the  story  of  the  Maine 
Medicaid  Claims  System  is  a  classic  example  of  how  not  to  develop, 
deploy  and  manage  an  advanced  Web  services  system. 

“By  the  first  of  March,  it  was  clear  that  we  were  missing  any  sort 
of  basic  management  of  this  project  and  were  in  complete  defen¬ 
sive  mode,”  recalls  Dick  Thompson,  then  head  of  procurement 
for  the  state  of  Maine  and  now  its  CIO. 

“We  could  not  see  our  way  out  of  this.” 
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Out  with  the  Old 

In  the  late  1990s,  states  were  moving  fast  to  overhaul  their  Med¬ 
icaid  claims  processing  systems.  Driving  the  transformation  was 
HIPAA,  which  required  numerous  changes  in  managing  patient 
health  and  records,  the  most  significant  of  which  was  protecting 
patient  privacy.  Maine,  like  other  states,  had  to  upgrade  its  systems 
to  better  secure  Medicaid  patient  records.  Under  HIPAA,  the  state 
had  until  Oct.  1, 2002,  to  have  a  system  in  place  that  would  secure 
and  limit  access  to  that  information. 

At  the  same  time,  the  federal  Medicaid  program  was  becoming 
more  complex.  As  additional  health  services  were  added,  the  num¬ 
ber  of  codes  and  subcodes  for  services  grew,  and  payments  to  doc¬ 
tors  and  hospitals  were  parsed  accordingly.  Maine  also  needed  to 
give  providers  a  way  to  check  the  eligibility  of  Medicaid  patients 
and  the  status  of  their  claims.  Making  this  information  available 
online,  they  hoped,  would  cut  down  on  the  number  of  calls  to  the 
state  Bureau  of  Medical  Services,  thereby  saving  the  state  money. 

State  officials  knew  that  upgrading  the  old  system  would  be  a 


Herculean  task.  Maine  processes  more  than  120,000  Medicaid 
claims  per  week,  and  the  existing  claims  processing  system— a 
1970s  vintage  Honeywell  mainframe— was  not  up  to  the  job,  nor 
could  it  meet  HIPAA’s  demands  or  provide  online  access.  The 
state’s  IT  managers  reasoned  that  a  new  end-to-end  system  would 
be  easier  and  cheaper  to  maintain.  (Other  states  reached  different 
conclusions.  Massachusetts,  for  example,  decided  to  build  a  new 
front-end  Web  portal  for  providers  and  Medicaid  patients  that 
could  be  integrated  with  the  state’s  existing  legacy  systems.  For 
more  on  this,  read  “Opening  a  Virtual  Gateway  to  Better  Health,” 
online  at  www.cio.  com/031506.) 

The  development  of  the  new  system  was  assigned  to  the  IT  staff 
in  the  DHS,  which  decided  it  wanted  a  system  built  on  a  rules- 
based  engine  so  that  as  Medicaid  rules  changed,  the  changes 
could  be  programmed  easily  into  the  system. 

Some  service  providers,  such  as  EDS,  offered  states  the  oppor¬ 
tunity  to  outsource  claims  processing  systems.  But  the  DHS  staff 
believed  building  its  own  system  would  give  it  more  flexibility.  The 
staff  also  believed  it  could  manage  the  system  better 
than  an  outsourcer.  “We  had  a  track  record  of  run¬ 
ning  the  old  system  for  25  years,”  Thompson  explains. 

In  April  2001,  the  state  of  Maine  issued  an  RFP 
for  the  new  system.  But  by  the  end  of  the  year,  the 
state  had  received  only  two  proposals:  one  from 
Keane  (for  $30  million)  and  another  from  CNSI  (for 
$15  million). 

Typically,  agencies  like  to  see  several  bids  within  a 
close  range.  That  way,  procurement  officials  are  con¬ 
fident  that  the  requirements  are  doable  and  the  bids 
realistic.  In  this  case,  the  low  bidder,  CNSI,  had  no 
experience  in  building  Medicaid  claims  processing 
systems.  In  contrast,  Keane  had  some  experience  in 
developing  Medicaid  systems,  and  the  company  had 
worked  on  the  Maine  system  for  Medicaid  eligibility. 

The  paucity  of  bidders  and  the  100  percent  dif¬ 
ference  in  price  between  the  two  bids  should  have 
been  red  flags,  says  J.  Davidson  Frame,  dean  of  the 
University  of  Management  and  Technology  in 
Arlington,  Va.  “Only  two  bidders  is  a  dangerous 
sign,”  he  says,  adding  that  the  low  response  rate 
indicated  that  potential  bidders  knew  the  require¬ 
ments  of  the  RFP  were  unreasonable.  “Thompson 
should  have  realized  immediately  something  was 
wrong  with  the  solicitation,  and  redone  it,”  Frame 
says.  “Even  if  they  missed  the  [HIPAA]  deadline,  it 
would  have  saved  time  and  money  in  the  long  run.” 


The  Seeds  of  Failure 

CNSI  proposed  building  the  new  system  with  J2EE 
software  language,  arguing  that  it  was  needed  to  get  the 
scalability  state  officials  were  asking  for,  according  to 
Hitchings.  J2EE  is  a  powerful  programming  language, 
the  Ferrari  of  software  code,  which  some  of  the  largest 
corporations  are  now  using  to  run  their  global  opera  - 
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tions.  Experts  say  deploying  such  advanced  technology,  especially 
in  state  government,  increased  the  risk  in  an  already  risky  project. 
Most  Medicaid  claims  systems  contain  bundles  of  code  that  have 
been  tinkered  with  for  decades  to  adjust  rates,  services  and  rules. 
Attempting  to  translate  all  of  that  human  intelligence,  gathered  over 
thousands  of  person-years,  into  a  system  built  from  the  ground  up, 
was,  at  best,  problematic.  “It  was  a  big  misstep,”  Frame  says. 

But  Thompson  argues  that  the  state  was  in  a  corner. 

Maine’s  budget  was  tight.  State  revenue  was  dropping,  and  saving 
money  was  critical.  Also,  the  deadline  to  become  compliant  with 
HIPAA  was  looming,  and  Thompson  decided  that  the  six  months  that 
would  have  been  needed  to  redo  the  RFP  was  too  much.  “We  had  a 
requirement  to  get  something  in  place  soon,”  Thompson  says. 

In  October  2001,  the  state  awarded  the  contract  to  CNSI,  giving 
the  company  12  months  to  build  and  deploy  a  new  high-end 


long  hours  writing  code.  Errors  kept  cropping  up  as  programmers 
had  to  reprogram  the  system  to  accept  Medicaid  rule  changes  at  the 
federal  and  state  levels.  The  changes  created  integration  problems. 
The  developers  also  had  to  add  more  storage  capacity  and  com¬ 
puting  power  to  accommodate  the  increase  in  information  gener¬ 
ated  by  the  new  rules,  and  that  further  delayed  the  development. 

In  January  2003,  John  Baldacci  was  inaugurated  governor.  One  of 
Baldacci’s  campaign  promises  was  to  streamline  state  government, 
and  part  of  the  plan  called  for  merging  Maine’s  Department  of  Behav¬ 
ioral  and  Developmental  Services  with  the  Department  of  Human  Ser¬ 
vices  to  create  the  Department  of  Health  and  Human  Services  (HHS). 
That  meant  consolidating  systems  and  databases  that  had  resided  in 
both  departments  and  creating  new  business  processes,  diverting  cru¬ 
cial  resources  from  the  development  of  the  claims  system.  Thompson 
says  the  merger  also  diverted  executives’  attention.  Meanwhile,  the  cost 


THEIX* STAFF  BEG  AN  TO  CUT  CORNERS, 


processing  system  by  the  HIPAA  deadline  of  Oct.  1,  2002.  As 
head  of  procurement,  Thompson  signed  off  on  the  contract. 

Almost  immediately,  it  became  evident  that  the  state  was  not 
going  to  meet  the  deadline.  To  begin  with,  the  65-person  team  com¬ 
posed  of  DHS  IT  staffers  and  CNSI  representatives  assigned  to  the 
project  had  difficulty  securing  time  with  the  dozen  Medicaid  experts 
in  the  Bureau  of  Medical  Services  to  get  detailed  information  about 
how  to  code  for  Medicaid  rules.  As  a  result,  the  contractors  had  to 
make  their  own  decisions  on  how  to  meet  Medicaid  requirements. 
And  then  they  had  to  reprogram  the  system  after  consulting  with 
a  Medicaid  expert,  further  slowing  development. 

The  system  also  was  designed  to  look  at  claims  in  more  detail 
than  the  old  system  in  order  to  increase  the  accuracy  of  payments 
and  comply  with  HIPAA  security  requirements.  The  legacy  sys¬ 
tem  checked  three  basic  pieces  of  information:  that  the  provider 
was  in  the  system,  the  eligibility  of  the  patient  and  whether  the 
service  was  covered.  The  new  system  checked  13  pieces,  such  as 
making  sure  the  provider  was  authorized  to  perform  that  service 
on  the  date  the  service  was  provided,  and  the  provider’s  license. 
“There  were  a  lot  more  moving  parts,”  Thompson  explains. 

Looking  back,  Thompson  says  the  DHS  team  was  seriously 
understaffed.  But  Thompson  says  he  was  afraid  to  ask  for  more 
resources.  “That  is  a  significant  problem  in  government,”  Thomp¬ 
son  says.  “If  I  say  I  need  60  to  70  percent  more  staff  because  we  need 
to  work  this  project  for  two  years,  the  response  would  be,  ‘What,  are 
you  crazy?’  So,  we  just  couldn’t  make  the  turnaround  times.” 

In  the  fall  of 2002,  just  months  away  from  the  HIPAA  deadline, 
the  DHS  team  got  a  reprieve.  The  federally  run  Center  for  Medicare 
and  Medicaid  Services  pushed  back  the  deadline  to  Oct.  1, 2003. 

For  the  next  two  years,  CNSI  and  Maine’s  DHS  IT  shop  worked 


of  the  project  rose,  increasing  50  percent  to  more  than  $22  million. 

The  IT  staff  could  not  meet  the  extended  HIPAA  deadline.  In  an 
attempt  to  catch  up,  they  began  to  cut  corners.  For  example,  test¬ 
ing  the  system  from  end  to  end  was  dismissed  as  an  option.  The 
state  did  conduct  a  pilot  with  about  10  providers  and  claims  clear¬ 
inghouses,  processing  a  small  set  of  claims.  But  the  claims  were  not 
run  through  much  of  the  system  because  it  was  not  ready  for  test¬ 
ing.  Beyond  a  few  fliers  announcing  the  new  system  and  new 
provider  ID  codes,  HHS  offered  little  or  no  guidance  to  providers 
on  the  use  of  the  system.  And  there  was  no  training  for  the  staff 
who  would  have  to  answer  providers’  questions. 

“We  kept  saying,  ‘Gosh,  let’s  keep  our  head  down,-  we  can  work 
through  this,”’  Thompson  recalls.  Instead,  he  acknowledges,  he 
and  other  top  officials  should  have  taken  a  step  back  and  analyzed 
the  risks  that  the  new  system  might  pose  for  the  state’s  Medicaid 
providers  and  their  patients. 

Early  Warnings 

Hitchings  and  his  staff  made  the  decision  to  go  live  in  January 
2005.  The  switch  to  the  new  system  would  be  made  in  a  flash 
cutover  in  which  the  legacy  system  would  be  shut  down  for  good 
and  the  new  system  would  take  over.  Codes  identifying  providers 
(tax  identifier  numbers)  and  Medicaid  patients  (Social  Security 
numbers)  had  to  be  changed  to  meet  HIPAA  guidelines,  and  the 
legacy  system  would  not  be  able  to  recognize  the  new  numbers.  Nor 
could  it  read  the  new  electronic  claim  forms.  HHS  dismissed  the 
idea  of  running  a  parallel  system  as  too  costly  and  complicated. 

Maine  officials  did  have  one  contingency  plan:  They  would  pay 
providers  for  two  to  four  weeks  if  the  new  system  failed.  Under 
the  interim  payment  plan,  if  a  provider’s  claims  were  not  being 
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processed  in  a  timely  manner,  the  provider 
would  receive  a  payment  based  on  the 
average  monthly  payment  the  provider 
had  received  the  five  weeks  prior  to  the 
new  system  coming  on. 

On  Jan.  21,  Hitchings  arrived  at  his  office 
to  find  the  claims  system  up  and  running. 

The  initial  reports  from  the  contractor  and 
his  staff  were  that  the  system  was  hum¬ 
ming  along,  quickly  moving  through  Med¬ 
icaid  claims. 

But  the  following  Monday  morning, 

Hitchings  sat  down  with  CNSI  contractors  to 
go  over  the  file  statistics  for  the  system’s  first 
three  days.  Something  wasn’t  right.  The  sys¬ 
tem  had  sent  about  50  percent  of  the  claims— 

24,000  in  the  first  week  alone— into  a 
“suspended”  file,  a  dumping  ground  for 
claims  that  have  an  error  that  is  not  signifi¬ 
cant  enough  to  reject  the  claim  outright  but 
that  are  not  accurate  enough  for  payment. 

Typically,  the  error  can  be  fixed  fairly  quickly 
by  a  claims  processor.  But  the  50  percent 
rate  was  very  high;  the  legacy  system  had 
suspended  only  about  20  percent  of  claims. 

By  the  end  of  the  month,  angry  calls  from 
providers  were  mounting.  One  of  the  calls 
came  from  Kevin  Flanigan,  the  only 
internist  and  pediatrician  in  Pittsfield,  a 
town  of  4,000  people  in  south  central 
Maine.  Early  one  morning  at  the  end  of  Jan¬ 
uary,  Dr.  Flanigan  sat  down  with  his  busi¬ 
ness  manager  to  go  over  the  Medicaid  payments  that  had  arrived 
in  that  day’s  mail.  Flanigan  sliced  open  an  envelope,  pulled  out  the 
statement,  and  read  “rejected.”  In  the  amount  paid  column,  he  saw 
“0.00.”  His  manager  opened  a  statement.  Zero  amount  paid.  “One 
after  the  other  it  said  zero,  zero,  zero,”  Flanigan  recalls.  “My  first 
reaction  was  that  the  state  blew  it,  and  it  was  no  big  deal.  I  could  just 
call  them  up,  straighten  it  out,  and  they’ll  send  me  a  check.” 

Flanigan  called  HHS.  He  was  told  the  problem  was  a  com¬ 
puter  glitch.  The  state  would  have  it  fixed  in  one  or  two  weeks. 

Flanigan  went  back  to  seeing  his  patients. 

The  glitch,  however,  kept  sending  tens  of  thousands  of  claims  to 
the  suspended  file.  Hitchings  discovered  that  the  system  was  sus¬ 
pending  duplicate  claims— claims  from  the  same  provider  who  had 
filed  the  claim  a  second  time  after  learning  the  first  had  been  sus¬ 
pended,  The  system  was  programmed  to  reject  the  second  claim  if 
it  was  identical  to  one  already  in  suspension.  With  the  capacity  to 
work  off  only  1,000  claims  a  week,  it  would  take  the  Bureau  of  Med¬ 
ical  Services  more  than  six  months  to  clear  all  of  them. 

Hitchings  and  CNSI  began  to  look  at  the  code  and  the  design  of 
the  system.  They  found  numerous  problems.  For  example,  without 
adequate  guidance  from  Medicaid  experts,  the  system  had  been 
designed  to  accept  files  with  up  to  1,000  lines  of  claim  data.  But 


per  hour  trying  to  fix 

every  software  bug- 
They  couldn’t  see  the 
forest  for  the  trees. 

-Jim  Lopatosky, 
IT  operations  manager 
for  the  state  of  Maine 
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many  claims  were  much  larger,  some  containing  up  to  10,000  lines, 
and  the  server  was  rejecting  them  automatically.  The  Medical  Bureau 
staff  asked  providers  to  submit  smaller  files.  In  the  meantime,  the  IT 
staff  would  try  to  rewrite  the  software. 

At  the  same  time,  other  errors  began  popping  up.  The  state 
now  owed  health-care  providers  as  much  as  $50  million  in  Med¬ 
icaid  payments,  and  the  backlog  of  claims  had  reached  almost 
100,000.  Providers  couldn’t  get  through  to  HHS.  When  they 
didn’t  get  a  busy  signal,  the  wait  to  talk  to  a  staff  person  at 
MaineCare  (formerly  the  Bureau  of  Medical  Services)  was  a  half 
hour  or  more.  Providers  began  calling  state  legislators.  A  press  con¬ 
ference  was  held  on  the  steps  of  the  state  capitol  Feb.  16,  declaring 
a  financial  crisis  for  Maine  health-care  providers. 

The  calls  were  coming  in  so  fast  that  Hitchings  decided  to  man 
the  phones  himself.  One  call  he  remembers  was  from  a  woman  in 
a  provider’s  billing  office.  She  was  frustrated  because  the  system 
would  not  accept  her  claim,  no  matter  what  she  did.  Hitchings 
walked  her  through  the  process,  making  sure  she  had  the  correct 
billing  and  file  name  conventions.  After  45  minutes,  the  system  still 
wouldn’t  accept  the  claim.  Hitchings  had  to  admit  defeat. 

“That  was  just  so  frustrating,”  Hitchings  says.  “I  just  couldn’t 
fix  the  problem.  I  didn’t  know  what  more  we  could  do.” 
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In  Pittsfield,  Flanigan  opened  more  claim  statements  with  no 
checks.  He  began  to  make  plans  to  draw  on  a  line  of  credit  that  used 
his  office  building  as  equity. 

Over  the  next  nine  months,  Flanigan  would  take  out  $30,000  in 
loans  to  pay  his  bills. 

A  Call  for  Help 

By  early  March  2005,  Hitchings’  staff  and  CNSI  were  overwhelmed. 
For  $860,000,  the  department  hired  XWave,  an  integrator  and 
project  management  consultant,  to  take  over  the  project.  More  peo¬ 
ple  were  hired  to  take  phone  calls.  Gov.  Baldacci,  saying  “enough  is 
enough,”  ordered  Commissioner  Nicholas  to  have  the  claims  sys¬ 
tem  operable  and  running  smoothly  by  the  end  of  March. 


those  working  for  CNSI  would  work  on  parts  of  the  system  with¬ 
out  telling  each  other  what  they  were  doing.  Lopatosky  prioritized 
tasks.  He  acted  as  a  liaison  between  teams  working  on  different 
functions.  He  directed  the  programmers  to  fix  those  software 
bugs  that  would  resolve  the  largest  number  of  suspended  claims 
and  postponed  work  on  the  portal  through  which  providers  could 
check  on  the  status  of  claims.  That  could  wait. 

But  the  intricacies  of  the  Medicaid  program  continued  to 
thwart  progress.  Thompson  needed  a  business  owner  who  could 
clarify  Medicaid  business  processes  for  the  IT  staff.  Last  October, 
Dr.  Laureen  Biczak,  the  medical  director  for  MaineCare,  agreed 
to  take  on  that  responsibility. 

“This  is  what  brought  it  all  together,”  Thompson  says.  “It  was 
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But  March  came  and  went,  and  nothing  changed.  Desperate, 
state  officials  decided  to  change  the  program’s  management,  and 
Rebecca  Wyke,  head  of  Maine’s  financing  department,  appointed 
Thompson  as  CIO  in  late  March,  replacing  Harry  Lanphear,  who 
is  now  CEO  of  the  Kennebec  Valley  YMCA.  Thompson  was  put 
in  charge  of  the  project,  and  ordered  to  right  the  system  as  quickly 
as  possible.  (Lanphear  could  not  be  reached  for  comment.) 

By  the  end  of  the  summer,  647,000  claims  were  clogging  the 
suspended  claims  database,  representing  about  $310  million  in 
back  payments.  Interim  payments  were  being  made,  but  recon¬ 
ciling  those  payments  with  the  claims  was  an  accounting  night¬ 
mare.  Wyke  hired  the  accounting  firm  Deloitte  &  Touche  to  audit 
the  state  books  to  determine  if  Maine  would  have  enough  money 
to  pay  Medicaid  bills  by  the  June  30  end  of  the  fiscal  year.  The 
$7  million  contract  also  called  for  Deloitte  to  consult  on  how  to  rec¬ 
oncile  the  Medicaid  bills. 

XWave  set  up  a  project  management  office  and  steering  com¬ 
mittee  that  met  weekly  to  establish  priorities  and  monitor  the 
progress  of  system  software  fixes.  The  goal  was  to  get  the  new  sys¬ 
tem  to  process  claims  at  the  same  rate  that  the  legacy  system 
had,  sending  20  percent  into  a  suspended  or  rejection  file.  Thomp¬ 
son  hired  Jim  Lopatosky,  an  Oracle  database  specialist  in  the 
state’s  Bureau  of  Information  Services,  as  operations  manager  to 
act  as  a  calming  influence  on  the  department’s  battered  IT  divi¬ 
sion.  When  Lopatosky  took  over  in  June,  he  encountered  a  staff 
“running  at  100  miles  per  hour,”  trying  to  fix  every  software 
bug,  with  little  direction  on  what  was  most  important.  “They 
couldn’t  see  the  forest  for  the  trees,”  he  recalls. 

Lopatosky  soon  realized,  as  XWave  had,  that  the  system’s 
problems  could  be  laid  at  the  door  of  poor  project  management 
and  worse  communication  among  the  HHS  IT  staff,  contractors 
and  business  users.  For  instance,  programmers  for  the  state  and 


something  we  should  have  done  from  the  start:  have  someone  who 
knew  the  business  [of  Medicaid]  working  full-time  on  the  project.” 

With  Biczak’s  assistance,  the  Bureau  of  Information  Services 
set  up  a  triage  process  for  the  help  desk.  Medicaid  business- 
process  questions  would  be  sent  to  the  Medicaid  specialists;  soft¬ 
ware  and  hardware  questions  would  be  sent  to  IT  program 
specialists.  The  triage  process  was  implemented  in  January. 

By  the  end  of  the  month,  Thompson  claimed  the  new  system 
could  process  85  percent  of  claims  as  either  pay  or  deny.  “I  can 
now  see  the  light  at  the  end  of  the  tunnel,”  he  says. 

For  the  provider  community,  however,  that  light  is  still  the 
headlamps  of  an  oncoming  train.  Gordon  Smith,  head  of  the 
Maine  Medical  Association,  says  the  new  claims  system  is  still  far 
from  what  was  promised:  an  advanced  system  that  would  clear 
claims  faster,  track  costs  better  and  give  providers  more  accurate 
information  on  claims  status.  Smith  disputes  Thompson’s  claim, 
saying  the  new  system  still  rejects  20  percent  of  the  total  claims, 
most  of  which  meet  accepted  standards  for  payment.  “Why  are 
we  comparing  this  system  to  a  legacy  system  that  wasn’t  good 
enough  in  the  first  place?”  he  asks.  “Why  spend  $25  million  on  a 
new  system  that  isn’t  any  better?” 

For  doctors  like  Flanigan,  the  entire  ordeal— the  postponed 
payments,  the  lack  of  communication  with  providers,  the  system’s 
continued  fallibility— will  not  easily  be  forgotten.  Or  forgiven. 
And  it  will  certainly  be  on  Flanigan’s  mind  when  he  and  others 
like  him  go  to  the  polls  to  vote  for  governor  in  November. 

“They  are  supposed  to  be  protecting  the  most-at-risk  people  in  the 
state,”  Flanigan  says.  “It  goes  beyond  shock  and  dismay  how  utterly 
disrespectful  the  state  has  been  to  providers  and  patients.”  rara 


Washington  Bureau  Chief  Allan  Holmes  can  be  reached  via  e-mail  at 
aholmes@cio.com. 
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executive  summary 

In  today's  ultra-sensitive  business  climate,  content  risks 
abound.  Most  executives  are  aware  of  the  obvious  risks  lead¬ 
ing  to  compliance  violations  and  customer  data  loss,  but  what 
about  those  they  don't  know  about?  And,  while  savvy  enter¬ 
prises  have  some  protection  in  place,  the  growing  variety  of 
threats  far  outstrip  most  existing  security  measures,  putting 
businesses'  very  health  at  risk.  As  a  result,  executives  are 
leaving  their  enterprises  wide  open  for  attack. 


INSIDER  RISK:  The  growing 
concern  for  CIOs 


There's  no  doubt  that  security 

breaches  are  on  the  rise  from 
many  fronts,  threatening  the  very 
health  of  enterprises.  In  2005, 
over  52  million  people  were  exposed  to 
data  security  breaches  and  in  over  100 
incidents  nationwide.  And  according  to 
analysts,  70%  of  all  security  incidents 
come  from  insiders. 

What’s  truly  alarming,  though,  is  that 
many  executives  think  they’re  fully  pro¬ 
tected  from  these  breaches  and  the  insider 
threat.  In  reality,  they’ve  yet  to  scratch  the 
surface  when  it  comes  to  understanding  and 
addressing  all  the  risks.  Although  many  ex¬ 
ecutives  have  implemented  basic  protection 
measures  to  combat  compliance  violations, 
customer  data  loss  and  intellectual  property 
theft,  they  only  have  visibility  into  half  the 
insider  risk  leaving  them  only  half  protected. 

“What  executives  may  not  know  is  that 
to  protect  against  customer  data  loss, 
identity  theft,  intellectual  property  theft 
and  compliance  violations,  you  need  to 
look  at  all  insider  risk  including  insider 
hacker  activity,  internet  abuse  and  more.  All 
forms  of  risk  can  identify  a  security  breach 
before  it  occurs,”  says  Brian  Burke,  research 
analyst  for  Framingham,  Mass.-based  IDC, 
a  provider  of  market  intelligence,  advisory 
services,  and  events  for  the  information 
technology  and  telecommunications 
industries. 

Security  breaches  are  often  planned. 
Getting  visibility  during  the  planning 
stages  can  help  to  defuse  a  potentially 
devastating  event.  By  monitoring  all  internal 
communication,  executives  understand 
who  and  what  is  occurring  on  their  network 
to  control  the  insider  risk,  compliance 
violations  and  customer  data  loss. 

What  would  happen  if  a  breach  occurred 
within  your  organization  and  as  a  result 


When  it  comes  to 
insider  risk  what 
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According  to  a  U.S.  Secret  Service  and  CERT  Coordination  Center 

Insider  Threat  Study,  not  only  did  83  percent  of  the  insider 
threat  cases  take  place  within  the  enterprise,  but  81  percent 
of  those  incidents  were  planned  in  advance. 


your  company  experienced: 

•  Unwanted  media  attention? 

•  Unwanted  stakeholder  attention? 

•  Unwanted  government  attention? 

•  Loss  in  consumer  trust? 

•  Brand  and  reputation  damage  and  more? 

When  it  comes  to  content  risks,  executives  need 

to  look  at  the  big  picture  to  successfully  protect  their 
businesses  from  financial,  legal  and  reputation  damage. 

“What  if  you  had  total  visibility  into  all  risks  across 
your  entire  enterprise?  And  what  if  you  had  visibility 
into  an  attack  three  days  before  it  occurred  or  even 
better,  three  weeks  before  it  occurred?”  asks  Joe 
Cortale,  senior  vice  president  of  worldwide  sales 
and  marketing  for  Denver,  Colorado-based  Vericept 
Corporation,  a  provider  of  comprehensive  compliance 
and  content  control  solutions.  “Complete  visibility 
means  you  can  anticipate,  defuse,  and  control  threats 
before  any  real  damage  occurs.” 

The  Bad  News:  What  You  Don't  Know 
Can  Hurt  You 

Cortale  warns  that  there  is  very  little  visibility  into 
content  risks  posed  by  Internet  abuse,  insider  hacker 
activity  and  other  less-evident  dangers.  Frankly, 
executives  aren’t  looking  for  other  insider,  less  obvious 
activity,  that  is  directly  related  to  security  breaches  and 
legal  risk.  Nor  do  they  realize  that  such  rampant  threats 
tend  to  go  unchecked  by  many  content  monitoring 
solutions. 

For  example,  another  underestimated  threat  is 
insider  hacker  activity.  Enterprises  must  not  be  lulled 
into  thinking  that  all  is  well  once  the  perimeter  is 
secure.  Insider  hackers  know  the  lay  of  the  land  and 
have  the  time  necessary  to  organize  lethal  attacks. 

The  only  way  to  thwart  a  hacker  attack  is  with 
visibility  into  its  early  stages,  which  requires 
intimate  knowledge  of  activities  such  as  research, 
communication,  downloads  and  application  usage. 
Given  the  correct  alerts  to  warn  of  suspicious  insider 
activity,  executives  can  take  action  before  an  attack 
occurs. 

Would  you  know  if: 

•  Internal  hackers  were  conducting  research  on 
malicious  hacking  tools? 

•  An  employee  looking  to  leave  the  company  is 
planning  to  take  proprietary  information  and  trade 
secrets  with  him? 


•  A  disgruntled  employee  was  planning  a  hacker 
attack  with  outside  sources  via  an  instant  messaging 
session? 

By  correlating  the  risks  in  different  areas, 
organizations  will  gain  visibility  into  planned  and 
unplanned  behavior  allowing  them  to  act  before  any 
damage  is  done. 

In  addition,  today  more  than  ever,  executives  must 
be  concerned  with  all  forms  of  legal  liability  including 
sexual  harassment,  racism,  defamation  of  character  and 
violence  in  the  workplace-any  of  which  can  jeopardize 
the  business  and  result  in  lawsuits. 

The  Good  News:  What  You  Do  Know  Will  Help  You 

“The  rapid  adoption  of  the  Internet  as  a  business 
tool  definitely  exposed  enterprises  to  many  forms  of 
information  loss,  including  identity  theft,  intellectual 
property  loss,  compliance  violations,  lawsuits  and  brand 
damage,”  says  Cortale. 

“For  highly  regulated  industries  like  healthcare  and 
financial  services,  the  greatest  concern  is  obviously 
regulatory  compliance,”  says  Burke.  “But,  unregulated 
industries  have  been  focusing  on  protecting  content, 
particularly  intellectual  property  and  customer 
data.”  Whether  inadvertent  or  intentional,  exposure 
of  such  content  by  insiders  can  result  in  damage  to 
the  corporate  brand  that  is  more  costly  than  any 
government  fine. 

The  good  news,  says  Cortale,  is  that  enterprises 
are  now  gaining  an  understanding  that  combating 
threats  to  compliance  violations,  intellectual  property 
theft  and  customer  data  loss  from  the  trusted  insider 
can  be  mitigated.  By  working  with  companies  like 
Vericept,  that  provides  360°  visibility  and  control  over  a 
corporation’s  digital  assets  they  are  able  to  successfully 
secure  insider  leakage  points. 

Content  Monitoring  Protection 

With  all  these  threats  and  so  many  unknowns,  what  are 
executives  to  do? 

The  key,  says  Cortale,  is  content  protection  from 
every  angle,  implementing  a  solution  that  provides 
visibility  into  the  obvious  and  the  not-so-obvious 
risks.  “Although  it’s  certainly  a  start,  executives  can’t 
stop  with  just  identifying  compliance  violations  and 
intellectual  property  theft,”  explains  Cortale.  “They 
need  a  solution  that  correlates  all  insider  risk  such 
as  Internet  abuse,  rogue  protocol  usage,  and  insider 
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hacker  activity-not  to  mention  sexual  harassment  and 
racism.  The  correlation  of  risk  from  one  area  gives  you 
visibility  into  other  areas  of  risk.” 

Be  warned,  many  content  monitoring  solutions 
offer  insight  into  only  a  portion  of  these  risks,  leaving 
enterprises  open  for  attack  and  relying  on  basic  reactive 
measures  such  as  blocking  and  quarantining.  Rather, 
executives  need  a  solution  that  provides  360°  visibility 
and  control  over  enterprise  content  for  maximum 
protection  over  digital  assets. 

Content  Monitoring  Check  List 

For  comprehensive  content  protection,  executives 
should  consider  the  following  in  a  content  monitoring 
solution: 

-♦Risk  mitigation  from  every  angle.  The  key  is 
to  put  a  solution  and  strategy  in  place  that  considers 
risk  from  all  angles.  Again,  many  products  in  this  space 
address  only  partial  areas  of  risk  (often  merely  half),  so 
it’s  important  to  find  a  solution  that  addresses  all  risk. 
Being  able  to  predict  and  defuse  potentially  damaging 
situations  isn’t  worth  its  weight  if  large  areas  of  risk 
aren’t  even  on  the  radar  screen.  After  all,  it  only  takes 
one  devastating  security  breach  to  cripple  a  business. 

^Network,  desktop  and  email  control.  To 
identify  and  prevent  all  content  risk,  complete  control 
is  necessary.  “That  means,  every  part  of  the  business- 
the  network,  desktops,  email,  Internet,  IM,  etc. -must 
be  subjected  to  the  same  strict  scrutiny,”  says  Cortale. 
The  security  platform  must  be  comprehensive,  with  the 
tools  and  scope  to  identify  security  gaps,  receive  alerts 
for  malicious  internal  activity  and  keylogger  activity 
and  ensure  policy  compliance. 

^Content  control.  Content  control  should 
encompass  three  key  phases  with  automatic  alerts 
for  critical  risk,  compliance  violations  and  leakage  of 
highly-sensitive  information.  First,  risk  triggers  must 
be  in  place  to  detect  events  that  pre-warn  an  enterprise 
of  an  impending  violation.  Second,  risk  correlation 
should  capture  multiple  violations  in  one  event,  where 
a  single  isolated  event  may  go  unnoticed.  Third,  content 
control  technology  is  required  to  block  and  quarantine 
communications  that  infringe  on  corporate  policy. 

-♦Investigation  management.  Effective 
compliance  and  content  protection  strategies  don’t  start 
and  end  with  monitoring.  Investigation  management 
completes  the  cycle,  enabling  enterprises  to  document 
and  analyze  violations  for  future  planning  or  even  legal 
proceedings.  The  right  investigative  tools  will  create 
an  exact  replica  of  the  original  communication.  From 
there,  case  files  must  be  created  with  full  annotation 
and  data  mining  capabilities  to  enhance  analysis.  Lastly, 
automated  audit  trail  tools  are  needed  to  track  access 
and  changes  to  recorded  violations. 

Together,  these  components  can  help  enterprises 


The  Vericept  360°  Risk  Management  Platform 


COMPLIANCE  AND  CONTENT  PROTECTION 
FROM  EVERY  ANGLE 


The  Vericept  360°  Risk 
Management  Platform 
provides  complete  vis¬ 
ibility  into  all  insider  risk 
and  control  violations 
before  they  occur. 


Compliance  Protection 

Provides  insight  into 
intentional  or  inadver¬ 
tent  violations  of  state 
and  federal  regulations 
and  helps  organizations 
provide  evidence  of 
compliance. 


Intellectual  Property 

Protection  Monitors  all 
forms  of  Internet-based 
communications  and 
attachments  to  detect 
exposure  of  confidential 
information,  checking 
for  pre-warning  activity. 


Customer  Data  Protec¬ 
tion  Checks  communi¬ 
cation  for  leakage  of 
sensitive  customer  data 
(addresses.  Social  Se¬ 
curity  Numbers,  credit 
card  numbers,  account 
numbers,  pass  codes 
and  driver's  licenses). 


Insider  Hacker  Activity 

Provides  visibility  into 
the  early  stages  of  an 
attack  by  identifying 
hacker  activities  such 
as  hacker  usage  and 


application  downloads 
and  capturing  commu¬ 
nication  on  backdoors, 
keylogger  applications, 
and  suspicious  insider 
activity. 


Excessive  Internet  Abuse 

Helps  enterprises  moni¬ 
tor  and  mitigate  exces¬ 
sive  Internet  abuse  in 
the  form  of  gaming, 
shopping  or  viewing 
pornography. 


Other  Insider  Risk 

Offers  insight  into 
sexual  harassment, 
racism,  defamation  of 
character  and  violence 
in  the  workplace. 


Rogue  Protocol  Usage 

Monitors  rogue  protocol 
usage  to  determine 
whether  other  security 
product  controls  are 
operating  effectively. 


to  anticipate,  defuse  and  control  all  threats-no  matter 
what  they  are-before  any  real  damage  occurs. 

The  bottom  line:  An  investment  in  content 
monitoring  technology  should  be  a  no-brainer.  Just 
make  sure  the  solution  provides  total  visibility  into 
all  areas  of  risk,  providing  compliance  and  content 
protection  from  every  angle-or  else,  be  prepared  to  face 
the  consequences.  Because  viewing  only  half  the  risk  is 
simply  unacceptable. 


ADVERTISING  SUPPLEMENT 


PROVEN  DATA  PROTECTION 

Vericept.  The  Content  Monitoring  (CM)  Vendor  With  the  Largest  Fortune  500™ 

Customer  Base 

Vericept 

Competition 

Percent  Fortune  500™  CM  Customers 

75% 

Percentage  of  Marketshare  in  CM  Market 

80% 

Proven  Global  Deployment 

/ 

Accurately  Detects  Risks  With  Keywords 

/ 

/ 

Accurately  Captures  and  Correlates  More  Forms  of  Insider  Risk 

/ 

Pre-Warning  to  Potential  Threats 

/ 

First  to  Scan  File  Systems  and  Desktops 

/ 

Automatic  Policy-Based  Forensic  Investigation 

/ 

Enterprise-Wide  Risk  Reporting 

/ 

Investigation  Management 

Get  Visibility.  Get  Control™ 

VERICEPT 

The  Trusted  Vendor  For  Honest  Answers. 

www.vericept.com  or  call  1.800.262.0274 

Note:  Fortune™and  Fortune  500™  are  registered  trademarks  of  Time,  Inc.  There  is  no  relationship  between  Time,  Inc.,  and  ©  2006  Vericept  Corporation 

Vericept  Corporation  implied  by  the  reference  to  Fortune™  magazine  and  the  Fortune  500™. 


The  Eighth  Annual 
CIO  100  Symposium  &  Awards 

Delivering  Innovation  to  the  Enterprise 


CIO  100  Symposium  is  the  premier  place  for  CIOs  to  exchange  ideas  with  their  peers  across 
all  industry  segments  as  noted  thought  mavens  and  recognized  leaders  in  the  CIO  community 
explore  how  to  develop,  implement  and  capitalize  on  innovation  most  effectively. 

Save  the  date. 

August  20  -  22,  2006 

Hotel  Del  Coronado,  Coronado,  California 

For  more  information,  call  800-355-0246 


CIO  100  Symposium  Awards  are  proudly  underwritten  by 
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Offshore  Outsourcing 


To  succeed,  relationships 
require  love  and  attention. 
That’s  why  CIOs— especially 
mid-market  CIOs  with  limited 
resources— should  factor  in 
the  costs  of  hand-holding 
when  going  offshore. 


BY  STEPHANIE  OVERBY 


There’s  a  sense  of  relief  in 

Scott  Testa’s  voice  as  he  talks  about  termi¬ 
nating  the  last  of  his  company’s  offshore 
outsourcing  contracts  this  summer. 

As  COO  and  CIO  of  Mindbridge,  an  intranet 
software  provider,  Testa  has  overseen  engage¬ 
ments  with  a  handful  of  Indian  IT  service 
providers  since  1999.  In  the  beginning,  the 
lure  of  lower  costs  from  offshore  outsourcing 
was  hard  to  resist.  And  indeed,  through  2002, 
Testa  couldn’t  have  been  happier  with  the 
results.  He  was  saving  his  mid-market  com¬ 
pany  30  percent  on  the  application  devel¬ 
opment  and  maintenance  work  he  otherwise 
would  have  sourced  domestically 


But  by  2003,  Testa  began  to  see  the  benefits  slip  away. 
Staff  turnover  at  the  Indian  vendors  increased.  The  qual¬ 
ity  of  work  on  offshored  projects  decreased.  And  Testa’s 
internal  staff  was  growing  weary  of  the  time  and  travel 
required  to  keep  the  relationships  on  track. 

Things  finally  reached  a  breaking  point  last  year. 
“[Offshore  outsourcing]  made  a  lot  of  sense  for  us  at  one 
time,”  says  Testa,  who  will  sever  ties  with  the  last  remain¬ 
ing  Indian  vendor  in  June.  “But  it  made  a  lot  less  sense  for 
us  in  2003.  And  by  the  end  of 2004,  it  was  right  there  in 
our  face.  It  just  wasn’t  nearly  as  cost-effective— or  effec¬ 
tive— for  us  anymore.  We’d  get  better  quality  and  lower 
costs  by  doing  the  work 


domestically.” 

Testa’s  experience  is  a 
sign  of  the  outsourcing 
times.  In  the  late  ’90s  and 
early  part  of  this  decade, 
many  CIOs  jumped  on  the 
offshore  outsourcing  band¬ 
wagon.  They  were  either 


Reader  ROI 

::  Why  the  value  of 
offshoring  often  dips 
after  three  years 

::  What  to  do  to  keep  the 
relationship  fresh  and 
productive 

::  How  to  know  when  it’s 
time  to  bow  out 
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mi.K, 


Mindbridge  CIO  Scott  Testa: 
“It's  a  lot  of  work  to  manage 
offshoring  relationships.  If  you 
don’t  put  the  resources  and  the 
work  into  managing  them  well 
long-term,  you’re  destined  to 
have  issues.” 
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Offshore  Outsourcing 


feeling  the  lure  of  potential  savings  or  being  pushed  by  CEOs  or 
boards  with  similar  dollar  signs  in  their  eyes.  A  surprising  num¬ 
ber  of  companies  ended  up  going  offshore  first  and  figuring  out  a 
strategy  later. 

Now,  as  marriages  arranged  during  the  heyday  of  offshore  out¬ 
sourcing  have  matured,  offshore  outsourcing  satisfaction  rates 
have  dropped.  Last  year,  IT  consultancy  DiamondCluster  Interna¬ 
tional  reported  that  the  number  of  buyers  satisfied  with  their  off¬ 
shoring  providers  fell  from  79  percent  to  62  percent,  and  the  number 
of  buyers  prematurely  terminating  an  outsourcing  relationship  dou¬ 
bled  to  51  percent.  Also  in  2005,  PricewaterhouseCoopers  found  that 
half  of  the  financial  services  executives  it  surveyed  were  dissatisfied 
with  offshoring. 

Several  years  into  the  craze,  expectations  about  offshoring 
have  come  crashing  down  to  earth.  In  a  recent  study  of  offshore 
outsourcing  results  among  financial  services  companies,  Deloitte 
Touche  Tohmatsu  discovered  that  although  offshore  perform¬ 
ance  during  the  first  few  years  was  consistent  with  expectations, 
many  companies  encountered  an  alarming  drop-off  in  both  cost 
savings  and  quality  after  three  years.  “It  is  a  lot  of  work  to  man¬ 
age  these  relationships.  If  you  don’t  put  the  resources  and  the 
work  into  managing  this  relationship  well  long-term,  you  are 
destined  to  have  issues,”  says  Testa.  “That,  quite  frankly,  is  what 
happened  to  us.” 

Philip  Hatch,  founder  of  offshore  outsourcing  consultancy  Ven- 
toro,  has  also  found  a  maximum  ROI  point  occurs  sometime  before 


the  first  three  years  are  up.  “After  you  hit  that  [three-year  mark], 
unless  there  .is  some  additional  external  force,  things  get  stale,”  says 
Hatch,  who  worked  for  Russian  outsourcer  Luxoft  from  2000  to 
2003.  “Turnover  rates  on  the  outsourcing  team  pick  up.  The 
methodologies  and  tools  that  worked  well  in  the  beginning  become 
obsolete.  And  other  soft  costs  creep  in,”  he  says. 

CIOs  who  are  just  beginning  to  evaluate  the  offshore  option 
could  benefit  from  the  lessons  learned  by  those  who  have  gone 
before  them.  Even  before  they  make  the  decision  to  offshore, 
CIOs  should  factor  in  the  costs  involved  in  keeping  a  long-term 
offshoring  relationship  from  becoming  stale.  Smart  CIOs  have 
figured  out  that  continuous  tweaking  and  constant  attention,  as 


well  as  developing  the  right  metrics  forjudging  performance,  are 
keys  to  long-term  offshore  success. 

“Unless  an  outsourcing  engagement  goes  through  some  kind  of 
reinvention,  by  five  to  seven  years  out,  you’re  going  to  see  no  mate¬ 
rial  cost  savings  over  what  you  would  pay  to  do  the  work  yourself,” 
Hatch  predicts.  “The  outsourcing  engagement  will  be  obsolete.” 

The  Honeymoon  Years 

Hatch  compares  the  offshore  cycle  thus  far  to  the  dotcom  boom 
and  subsequent  bust.  In  the  early  part  of  the  decade,  “people 
started  screaming  offshore.  We  saw  CIOs  being  forced  into  off¬ 
shore  outsourcing  relationships  because  of  their  boards,  or  exec¬ 
utives  selecting  vendors  solely  based  on  their  hourly  rates,”  says 
Hatch.  “Ninety-nine  percent  of  them  had  no  real  business  plan.” 

“A  lot  of  these  initiatives  were  driven  by  costs,  essentially  replac¬ 
ing  expensive  labor  with  cheap  labor,”  agrees  John  G.  Schmidt,  pres¬ 
ident  of  the  Integration  Consortium,  whose  experience  with  offshore 
outsourcing  dates  back  to  the  1980s  when  he  worked  in  the  Con¬ 
sulting  Services  division  at  Digital  Equipment  Corp.  “But  the  prob¬ 
lem  is  making  [offshore  outsourcing]  sustainable.  The  U.S.  business 
mind-set  is,  What  can  I  do  in  January  to  save  money  this  year?” 

Although  many  IT  leaders  understood  the  effort  required  in 
the  first  year  or  two  to  launch  an  offshore  outsourcing  relation¬ 
ship,  many  were  not  prepared  for  the  long-term  effort  it  takes  to 
sustain  the  value  proposition.  “People  thought  that  outsourcing 

was  a  panacea  to  cure  all  ills,”  says 
Testa  of  Mindbridge.  “But  we  found 
that  while  it  solves  some  problems,  it 
causes  others.” 

When  Joe  Drouin  was  promoted 
to  CIO  of  car  parts  manufacturer 
TRW  Automotive  at  the  end  of 2002, 
he  inherited  his  predecessor’s  off¬ 
shore  outsourcing  relationship  with 
Indian  vendor  Satyam.  The  arrange¬ 
ment  had  originally  been  sought 
three  years  earlier  by  the  company’s 
then-new  CEO.  For  awhile,  the  deal 
had  worked  well,  Drouin  says,  but 
by  the  time  Drouin  came  aboard  it 
was  beginning  to  show  some  signs 
of  wear  and  tear.  Some  projects  were  still  successful;  others  weren’t. 
The  relationship  was  managed  project  by  project,  using  a  very  for¬ 
mulaic  approach  for  gathering  user  requirements.  “It  took  a  lot  of 
effort  to  get  it  right,”  says  Drouin,  “and  it  didn’t  always  happen.”  The 
result:  missed  deadlines,  blown  budgets  and  rework.  And  the  devel¬ 
opers  Satyam  assigned  to  TRW’s  projects  were  a  mixed  bag.  “Some 
were  good  and  some  were  not,”  recalls  Drouin.  “And  we’d  lose  the 
really  good  ones  whenever  a  project  would  finish.  So  every  time  we 
had  a  new  project,  we  had  to  start  all  over  with  someone  who  had 
to  learn  the  TRW  environment.” 

Drouin  renegotiated  the  contract  with  Satyam  to  provide  a  ded¬ 
icated  offshore  development  center  that  would  engage  vendor  staff 


Year  1 

Q1  Q2  Q3 


Year  2 

Q1  Q2 


Year  3 

Q1  Q2  Q3 


Year  4 

Q1  Q2 


The  savings  gained  by  going  overseas  tend  to  disappear 
by  the  fourth  year  if  the  outsourcing  relationship’s  vows 
are  not  refreshed  and  renewed. 


SOURCE:  Ventoro 
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With  Sybase®  software,  BNSF  Railway  Company  developed  a  mobile  application 
that  enables  remote  workers  to  document  railway  maintenance  and: 

Cuts  data  entry  time  by  approximately  50  percent 
Provides  more  accurate  and  timely  data 
Q/belivers  software  and  database  updates  automatically 


For  most  organizations,  maintaining  32,500  miles  of  rail  lines  would  be  a  colossal  headache.  But  for  BNSF  Railway  Company,  it  has  become 
a  competitive  advantage.  Because  they  have  an  information  edge  that  comes  from  Sybase  SQL  Anywhere®  and  Adaptive  Server®  Anywhere 
software.  Now,  BNSF  remote  workers  can  input  data  on  location  (vs.  waiting  until  the  end  of  the  day).  Headquarters  has  more  visibility  into 
the  field.  And  maintenance  decisions  are  made  more  proactively.  Just  a  few  reasons  why  more  and  more  global  companies  are  using  Sybase 
every  day  to  keep  their  business  on  track,  www.sybase.com/infoedge207 

Copyright  © 2006  Sybase,  Inc,  All  rights  reserved.  Sybase,  the  Sybase  logo,  SQL  Anywhere  and  Adaptive  Server  are  trademarks  of  Sybase,  Inc. 

•  indicates  registration  in  the  United  States  of  America.  All  product  and  company  names  are  trademarks  of  their  respective  owners. 


Offshore  Outsourcing 


The  Captive 

Option 

Companies  interested  in  long-term  offshore  outsourcing  are 
increasingly  opening  their  own  operations  overseas 

AS  PROBLEMS  WITH  LONG-TERM  OFFSHORE  CONTRACTS,  such  as  growing 
turnover  and  diminishing  quality,  become  more  pronounced,  captive  offshore 
operations— in  which  a  company  opens  its  own  offshore  subsidiary— are  gaining 
favor.  The  captive  model  gives  a  company  complete  control  over  offshore  opera¬ 
tions  and,  by  eliminating  the  middleman,  can  boost  savings.  In  fact,  Deloitte 
Touche  Tohmatsu  found  that  among  financial  services  companies,  captive  opera¬ 
tions  appeared  to  be  more  capable  than  offshore  contracts  of  improving  savings 
and  quality  over  time. 

Some  companies  may  choose  to  go  the  captive  route  from  the  get-go,  but  more 
often  than  not  it’s  a  model  they  develop  after  working  with  an  offshore  vendor  for  a 
few  years.  Some  offshore  vendors  even  offer  a  “build-operate-transfer”  model  that 
allows  a  company  to  purchase  the  offshore  center  from  the  vendor  after  a  specified 
period  of  time. 

But  the  captive  model  isn’t  right  for  everyone.  If  your  offshoring  needs  are 
small,  it  wouldn't  make  much  financial  sense  to  set  up  an  offshore  subsidiary. 
Similarly,  if  you  want  to  outsource  a  particular  technology  that  an  offshore  vendor 
has  spent  years  building  a  practice  around,  you  might  get  better  performance 
from  the  vendor  than  you  would  from  your  own  captive  operation.  But  if  you’re 
going  to  have  2,000  workers  offshore  or  have  specialized  needs,  a  captive  center 
is  often  a  better  option. 

Some  companies,  like  Lehman  Brothers,  end  up  splitting  the  difference  with 
a  hybrid  model,  setting  up  their  own  offshore  subsidiary  and  supplementing  that 
with  offshore  vendor  relationships.  Last  February,  Lehman  CIO  Jonathan  Beyman 
set  up  a  captive  center  in  Mumbai,  India,  that  is  focused  on  very  high-level  work 
such  as  developing  and  maintaining  Lehman’s  proprietary  software.  It’s  the  kind 
of  work  Beyman  isn’t  comfortable  handing  off  to  a  third  party,  particularly  when 
turnover  is  such  an  issue.  “Hopefully  we’ve  set  up  an  organization  where  that’s  not 
as  much  of  a  problem,”  Beyman  says.  And  in  the  captive  center,  “IT  and  industrial 
engineers  can  get  together  and  figure  out  how  to  redesign  business  processes  and 
solve  things  that  are  not  purely  technical  problems,  but  social  problems." 

The  captive  center  currently  employs  300  people  and  is  scheduled  to  grow  to 
600  by  the  end  of  the  year.  But  Lehman  continues  to  maintain  outsourcing  rela¬ 
tionships  with  Indian  vendors  Tata  Consultancy  Services  and  Wipro,  which  have 
a  total  of  400  workers  attached  to  lower-end  projects,  such  as  QA  testing  and 
infrastructure  support,  for  the  financial  services  firm.  -S.O. 


in  long-term  commitments  to  address 
the  turnover  issue  and  remove  some  of 
the  risk  of  managing  the  work  project 
by  project.  “We  started  building  up  a 
good  base  of  TRW-specific  and  auto¬ 
motive  domain  knowledge,”  says 
Drouin.  “We  didn’t  have  to  reintroduce 
ourselves  or  start  from  scratch  each 
time.”  And  for  the  first  year  after  reor¬ 
ganizing  the  relationship,  the  offshore 
outsourcing  worked  swimmingly. 

But  it  wasn’t  to  last. 

Romance  Fades 

In  the  beginning  of  any  offshore  rela¬ 
tionship,  both  customer  and  vendor 
expend  a  Herculean  amount  of  effort  to 
get  the  relationship  up  and  running 
smoothly.  “The  new  customer  signs  on. 

There’s  lots  of  fanfare  and  press.  All  the 
vendor  employees  want  the  gig,  and  the 
vendor  puts  his  aces  on  your  team,” 

Hatch  says.  “They  build  out  new  facili¬ 
ties.  They  buy  new  software  and  hard¬ 
ware.  The  vendor  comes  in  and  spends  a 
significant  amount  of  time  and  money 
to  close  the  deal.” 

On  the  customer  side,  CIOs  and  their 
staffs  spend  time  and  money  evaluating 
vendors  and  putting  a  new  management 
structure  in  place  to  support  the  offshore 
environment.  A  manager  is  assigned  to 
oversee  the  relationship,  often  making 
repeated  trips  overseas  to  oversee  vendor 
performance.  “Traveling  to  India  or 
China  or  the  Philippines  every  quarter  to 
manage  operations  or  vendor  relation¬ 
ships  works  OK  for  the  first  year  or  18 
months,”  says  Chris  Gentle,  director  of 
research  for  Deloitte  and  Touche.  “But 
when  you’re  doing  it  for  two  or  three 
years,  it  takes  a  lot  out  of  people.” 

Several  years  out,  weariness  and  com¬ 
placency  often  sets  in,  what  Gentle  calls 
“offshore  fatigue.”  Mindbridge’s  Testa 
recalls  that  in  his  shop,  problems  would  start  to  come  up  that  could¬ 
n’t  be  solved  with  IM  or  e-mail,  and  one  of  his  managers  would 
have  to  jump  on  a  plane  to  India  the  next  day.  “It’s  definitely  fatigu¬ 
ing,  physically  and  psychologically,”  he  says. 

The  key,  says  Gentle,  is  to  make  sure  you  rotate  new  people  into  the 
offshore  relationship  manager  position  every  couple  of  years  to  pre¬ 
vent  burnout.  Satyam’s  offshore  operation  for  TRW  has  grown  to  150 
employees,  and  Drouin  says  it’s  about  time  he  had  a  TRW  Automo¬ 


tive  employee  onsite  in  Chennai,  India,  to  oversee  the  vendor’s  work. 
“There’s  only  so  much  you  can  do  on  each  visit.  They  focus  on  a  cou¬ 
ple  of  specific  things  each  time  they’re  out  there,”  says  Drouin.  “Once 
you  get  to  this  scale,  you  need  someone  on  the  ground  day  in  and  day 
out  making  sure  you  get  the  most  from  your  investment.” 

Travel  is  not  the  only  thing  that  can  sap  those  managing  an  off¬ 
shore  relationship.  TRW  hit  its  ROI  sweet  spot  with  Satyam  about 
a  year  after  Drouin  set  up  the  offshore  center.  Productivity  hit  an 
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all-time  high,  with  the  offshore  center 
delivering  consistently  on-time,  on- 
budget,  and  on-spec  projects  and  support. 

“But  it  took  us  so  much  effort  to  get  to  that 
level,”  Drouin  says.  “Then  we  kind  of 
backed  off,  assuming  things  would  run 
smoothly.” 

Complacency  can  set  in  on  the  vendor 
side  as  well.  A.  Vinod,  vice  president  of  IT 
for  a  $1.8  billion  manufacturing  company 
that  Vinod  would  prefer  not  to  identify, 
says  that  over  the  years,  he’s  seen  dwin¬ 
dling  vendor  executive  involvement  in  his 
four-year  relationship  with  Sierra  Atlantic, 
a  Freemont,  Calif.-based  company  with 
offshore  development  centers  in  India. 

“Early  on,  when  our  account  was  grow¬ 
ing,  their  executives  made  frequent  visits 
to  help  cultivate  the  relationship.  There 
were  constant  calls  and  status  reports,” 

Vinod  recalls.  “But  over  time,  executive 
visibility  has  shifted  quite  a  bit.  Deliver¬ 
ables  were  never  missed.  But  the  visits 
diminished  in  frequency  and  face  time 
with  them  was  reduced.” 

Vinod  continues  to  push  for  more  involve¬ 
ment  from  Sierra’s  executives  and  advises 
others  in  a  similar  situation  to  do  the  same. 

“You  have  to  demand  that,”  he  says.  In  the 
event  that  executives  are  not  responsive, 

Vinod  (who  has  a  small  four-person  dedi¬ 
cated  center  at  Sierra  in  Hyderabad,  India, 
but  also  pays  Sierra  Atlantic  for  additional 
projects  and  support  as  needed)  puts  his 
money  where  his  mouth  is.  “I  tell  my  vendor, 
if  you  want  to  know  how  the  relationship  is 
going  from  my  end,  just  look  at  quarter  over 

quarter  billing,”  he  says.  “If  you’re  making  less  money  on  us,  you’ve 
got  something  to  worry  about.  Come  over  and  talk  to  us.” 

Long  after  an  offshore  relationship  has  ramped  up,  quarterly 
meetings  between  senior-level  management  at  both  customer  and 
vendor  are  a  must,  Hatch  agrees.  And  if  vendor  executives  aren’t 
asking  how  they  can  improve  performance,  there’s  a  problem.  “It’s 
a  huge  red  flag  if  the  vendor  isn’t  coming  to  you  periodically  with 
suggestions  on  how  to  optimize  the  engagement,”  he  says. 


Right-the-First-Time  Metrics 

One  issue  offshore  vendors  are  notoriously  stubborn  about  is  per¬ 
formance  metrics.  If  left  to  their  own  devices,  many  would  just 
as  soon  stick  with  the  metrics  they  brought  to  the  table  on  day 
one,  particularly  if  those  benchmarks  make  them  look  good.  But 
the  metrics  often  offered  up  by  offshore  vendors— simple  cost  or 
man-hour  figures,  ratios  of  onsite  to  offsite  staff,  errors  per  thou- 
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sand  lines  of  code— may  not  be  useful.  Over  time,  it’s  the  customer 
who  must  push  for  new,  more  meaningful  metrics.  “Trying  to  fig¬ 
ure  out  what’s  the  right  metric  to  use  is  the  area  where  we  spent 
the  most  hours,”  says  Vinod. 

The  majority  of  work  Sierra  Atlantic  does  for  Vinod’s  manu¬ 
facturing  company  is  in  the  area  of  application  support.  Through¬ 
out  the  day,  a  series  of  tickets  are  opened  as  Vinod’s  users  report 
problems  with  applications  (anything  from  a  password  that 
needs  changing  to  a  program  that  malfunctions).  Those  tickets 
are  passed  to  the  offshore  team.  They  look  at  the  problem  and 
make  an  attempt  to  resolve  it.  The  metrics  Sierra  Atlantic  has 
used  all  along  to  measure  its  application-support  effectiveness 
were  things  like  how  long  an  open  ticket  sat  in  a  technician’s 
queue  or  how  many  hours  that  technician  worked  on  the  prob¬ 
lem.  And  according  to  those  numbers,  the  vendor  was  doing  a 
bang-up  job. 

But  on  the  other  side  of  the  world,  Vinod  was  seeing  the  back- 
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log  of  new  tickets  inch  up  every  day.  “The  Sierra  Atlantic  team 
thought  they  were  doing  a  great  job.  They  were  publishing  this 
report  that  showed  they  were  squeaky  clean,”  he  says.  “But  their 
metrics  didn’t  mean  anything  at  all.  None  of  these  metrics  helped 
drive  the  only  goal— ticket  closure  with  a  satisfied  user.”  And  since 
there  was  an  increasing  number  of  tickets  being  entered  into  the 
system,  Vinod  suspected  problems  were  not  being  resolved  on  the 
first  or  even  second  try. 

The  offshore  support  team  had  no  way  of  knowing  whether  the 
solution  they  tried  actually  resolved  the  original  problem  (they 
worked  during  the  day  in  India,  while  it  was  night  back  in  the 
United  States)  and,  with  the  performance  metrics  Sierra  Atlantic 
had  in  place,  the  support  staffers  had  no  impetus  to  follow  up  and 
find  out  the  net  result.  So  Vinod  brought  the  entire  offshore  sup¬ 
port  team  (at  considerable  cost)  to  his  headquarters  in  Ohio,  where 
he  thought  they’d  feel  more  connected  to  the  company  and  more 
accountable  to  users.  And  sure  enough,  the  backlog  decreased. 
“We  got  the  numbers  back,  and  they  were  fantastic,”  he  says.  “Once 
in  the  U.S.,  they  were  held  to  the  only  metric  that  was  important  to 
us— two-day  closure  of  every  ticket.”  Of  course,  Vinod  can’t  keep 
the  entire  support  team  in  Ohio  full  time.  He’s  still  working  with 
Sierra  Atlantic  to  figure  out  the  right  mix  of  offshore  and  onshore 
vendor  staff  and  new  processes  to  make  it  work. 

Drouin  says  his  team  has  also  had  a  tough  time  figuring  out 
what  numbers  will  paint  a  more  meaningful  picture.  His  offshore 
management  team  recently  added  a  number  of  metrics  to  track 
resources,  projects  and  network  availability,  which  are  delivered 
monthly  to  Satyam’s  offshore  project  managers  and  TRW’s  project 
champions.  More  importantly,  they’re  working  to  finalize  a  next 
generation  of  metrics  whose  inspiration  comes  from  the  world  of 
manufacturing.  Drouin  calls  them  right-the-first-time  metrics,  an 


IT  corollary  to  the  manufacturing  metric  “first-time  yield.” 

“Rather  than  the  number  of  bugs  per  line  of  code,  we  want  to 
figure  out  how  many  times  we  get  something  that’s  just  right 
out  of  the  box  from  the  vendor,  or  close  enough  to  just  right  that 
we  don’t  have  to  kick  it  back  to  them,”  Drouin  explains. 

The  Truth  About  Turnover 

Lately,  Drouin  has  been  focused  on  turnover  metrics.  Satyam 
itself  tracks  when  an  employee  leaves  the  company.  But  for  Drouin, 
it’s  when  a  Satyam  employee  leaves  the  TRW  account  that  he 
feels  the  pain,  even  if  that  employee  is  still  working  for  the  vendor. 

And  like  most  CIOs  who  have  been  outsourcing  offshore  for 
more  than  three  years,  Drouin  has  been  feeling  that  pain  more 
than  ever  lately.  He  was  aware  of  the  well-publicized  turnover 
rates  in  India,  sometimes  nearing  25  percent  or  30  percent.  “That’s 
bad  enough,”  he  says.  “But  you  can  have  a  specific  project  team  and 
experience  100  percent  turnover  overnight.  That’s  a  tremendous 
impact,  and  projects  can  ground  to  a  halt.” 

Indeed,  one  of  TRW’s  biggest  offshore  projects  came  to  a  dead  stop 
twice  last  year  because  the  entire  project  team  on  a  product  data 
management  (PDM)  system  to  support  TRW’s  engineering  work  left 
overnight.  “They  literally  walked  across  the  street  to  join  another 
vendor  to  work  on  some  giant  ERP  project,”  Drouin  says. 

It  was  particularly  costly  because  of  the  type  of  project.  “If  it’s  a 
SAP  project,  we  know  that  Satyam  has  a  whole  host  of  SAP  talent 
they  can  bring  to  bear,”  Drouin  says.  “But  if  it’s  something  more  spe¬ 
cialized  like  PDM— they  didn’t  have  a  wealth  of  resources  in  that 
area.  And  it  took  them  time  to  go  outside  and  find  people.”  The 
defection  led  to  lengthy  delays  in  project  completion  that  made 
TRW’s  VP  of  engineering  none  too  happy.  “It  significantly  slowed 
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1B  Don’t  assume  the  hard  work  is 
over  after  the  ramp-up  period. 

Healthy  offshore  relationships  require 
continuous  improvement  throughout 
their  lifecycles  and  extensive 
re-examination  every  three  years. 

2m  Hold  quarterly  meetings  with 


senior-level  representation  from 
both  customer  and  vendor. 

3a  Rotate  people  out  of  the  rela¬ 
tionship  management  position 
after  a  few  years  to  prevent 
burnout.  Or  consider  having  someone 
permanently  onsite  at  the  offshore 
location.  The  travel  required  to  man¬ 
age  relationships  offshore  can  take 
a  toll  on  employees. 

4km  Keep  close  tabs  on  vendor  staff 
turnover.  Pay  attention  to  all  levels, 
from  the  executive  ranks  to  middle 
managers  to  line  workers;  defections 
at  any  level  can  have  a  negative  effect. 


5.  Work  with  your  offshore  provider 
to  cushion  against  the  sudden  loss 
of  key  employees.  For  example,  on 
an  important  project  place  an  extra 
resource  who  can  be  ready  to  jump  in 
if  necessary. 

6a  Make  sure  performance  metrics 
mesh  with  reality.  If  they  don’t,  come 
up  with  new  metrics  that  do. 

7a  Survey  business  users  and 
internal  IT  staff  about  their  experi¬ 
ences  with  offshored  support  or  proj¬ 
ects  on  a  regular  basis.  They  can  be  your 
best  measure  of  how  well  or  poorly  the 
engagement  is  delivering.  -S.0. 
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“The  best  people  were  being  wooed  away  for  more 

money.  And  the  quality  of  people  we  got  in  their  place  wasn’t 
equal  to  the  price  we  were  paying.”  -scott Testa,  cio,  Mindbridge 


down  a  project  aimed  at  increasing  the  efficiency  of  our  engineers,” 
says  Drouin.  “It  also  impacted  our  credibility  with  the  business, 
who  began  to  doubt  our  ability  to  deliver  the  project.” 

Drouin  says  Satyam  has  put  some  processes  in  place  to  help  ease 
the  impact  of  turnover.  “The  vendor  has  put  a  sixth  person  on  a  five- 
person  project  team  as  a  buffer,”  he  says.  “If  someone  leaves  the 
project,  they  have  a  resource  ready  to  jump  in  who’s  already  up  to 
speed.”  Ultimately  though,  says  Drouin,  turnover  is  simply  some¬ 
thing  he  has  to  factor  into  the  cost  of  doing  business  offshore. 

Indeed,  Hatch’s  research  reveals  a  dramatic  upswing  in  turnover 
on  the  vendor’s  team  during  the  second  and  third  year  of  offshore 
outsourcing  engagements.  Testa  of  Mindbridge  also  found  that 
the  replacements  his  offshore  vendors  put  on  his  projects  were 
increasingly  less  skilled  and  experienced  but  cost  just  as  much. 
“The  best  people  were  being  wooed  away  for  more  money,”  says 
Testa.  “And  the  quality  of  people  we  got  in  their  place  wasn’t  equal 
to  the  price  we  were  paying.” 

Lehman  Brothers  CIO  Jonathan  Beyman  says  turnover  rates 
are  part  of  the  reason  why  he  doesn’t  send  work  that  requires 
company-specific  knowledge  to  third-party  vendors  in  India. 
“They’re  not  putting  someone  on  my  account  who’s  going  to  stay 
there  for  the  rest  of  his  career.  After  a  couple  of  years,  I  know 
there  is  going  to  be  churn,”  says  Beyman,  who  has  two  contracts 
worth  a  total  of  $70  million  with  Tata  Consultancy  Services  and 
Wipro.  “Having  subject  matter  experts  is  something  that’s  very 
important  to  us.  We’ve  got  employees  internally  that  have  worked 
on  our  systems  for  years  and  years,  and  we  have  not  been  able  to 
duplicate  that  with  a  third  party  offshore.” 

And  that’s  a  big  part  of  the  reason  some  IT  executives  eventu¬ 
ally  turn  to  a  captive  model,  where  the  company  owns  and  operates 
the  offshore  center  as  its  own  subsidiary  and  employees  report 
directly  to  them  (see  “The  Captive  Option,”  Page  60).  Beyman  him¬ 
self  has  gone  to  a  hybrid  model,  with  a  captive  center  handling  high- 
level  work  and  vendors  working  on  things  like  QA  testing  and 
infrastructure  support. 

Offshoring  Is  Hard  Work 

Ultimately,  it’s  clear  that  for  offshore  outsourcing  to  be  successful  long 
term,  it  requires  continued  reevaluation  and  renewal.  The  hard  work 
is  not  over  after  the  first  couple  of  years;  it’s  only  just  beginning. 
Hatch  advises  CIOs  to  consider  that  and  factor  it  in  before  they  sign 
a  contract  with  an  offshore  IT  services  provider. 

“You  have  to  make  a  holistic  evaluation  of  the  offshore  propo¬ 


sition  that  looks  at  total  costs  long  term,”  Hatch  says.  “Not  just 
the  launch  costs,  but  the  mature  operational  costs,  including  the 
relaunch  that  needs  to  take  place  every  three  years  or  so.” 

Drouin  builds  long-term  costs  for  increased  turnover  into  his 
metrics  so  that  he  isn’t  taken  by  surprise.  “Don’t  assume  that 
the  task  of  closely  monitoring  is  limited  to  the  startup  phase. 
You’re  going  to  have  to  maintain  that  level  of  attention— or  close 
to  it— throughout  the  relationship,”  he  says. 

Beyman  of  Lehman  Brothers  made  headlines  in  2003  when  he 
re-insourced  the  help  desk  he  had  offshored  to  India  after  nine 
months  of  terrible  service  levels.  “The  places  where  it  works  for  us, 
it  works  because  we  spend  a  lot  of  time  and  attention  on  it,”  he  says. 
The  places  where  it  hasn’t  worked,  it  hasn’t  worked  because  it 
wasn’t  managed  well.” 

Gentle  of  Deloitte  and  Touche  says  he  saw  a  broad  range  of  results 
in  the  cost  savings  being  achieved  offshore  and  the  quality  being 
delivered.  Some  companies  were  getting  quality  offshore  that  was 
15  percent  higher  than  on  shore.  Others  were  seeing  quality  about 
equal  to  that  delivered  domestically.  And,  “some  were  seeing  qual¬ 
ity  start  to  dip  below  the  level  of  quality  available  onshore,  which 
defeats  the  whole  value  proposition  of  going  offshore  in  the  first 
place,”  he  says. 

That’s  where  Testa  found  himself  at  Mindbridge.  A  once-benefi- 
cial  offshore  outsourcing  arrangement  deteriorated  over  time  until 
he  ultimately  ended  up  in  a  situation  with  inexperienced  offshore  staff 
delivering  him  buggy  software  at  no  net  cost  savings.  Unlike  Drouin 
and  Vinod  who  continue  to 
work  at  offshore  outsourc¬ 
ing  and  derive  value  from 
it.  Testa  called  it  quits.  He  is 
in  the  process  of  staffing  up 
internally  to  meet  Mind- 
bridge’s  application  devel¬ 
opment  and  support  needs,  supplementing  that  with  some  domestic 
outsourcing.  “I  don’t  plan  to  do  any  more  offshoring  in  the  foresee¬ 
able  future,”  Testa  says.  “It’s  time-consuming  and  draining  and,  at 
times,  extremely  frustrating.  You  spend  half  the  time  patting  people 
on  the  back  and  half  the  time  kicking  people  in  the  ass.” 

As  the  offshore  outsourcing  market  has  matured,  the  lesson  for 
CIOs  is  clear.  “Offshoring  is  not  for  the  fainthearted.  You  can’t  dab¬ 
ble  in  it,”  says  Deloitte  and  Touche’s  Gentle.  “You  have  to  have  a  long¬ 
term  strategy.”  SO 


Senior  Editor  Stephanie  Overby  can  be  reached  at  soverby@cio.com. 


Offshore  Best  Practices 


To  read  more  coverage  of  offshore 
outsourcing  best  practices,  go  to 

www.cio.com/specialreports  and 
click  OUTSOURCING  STRATEGIES. 
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Brother  Printer,  Fax  and  Multi-Function  Center®  models  - 
designed  to  increase  productivity  while  decreasing  overhead. 


Reduced  consumable  costs 
>-  2417/365  support  and  service 
Free  evaluation  program 


Considering  that  over  94%  of  Fortune  1000  company  employees  work 
outside  corporate  headquarters*,  equipping  them  with  a  cost-effective 
solution  is,  to  say  the  least,  a  major  challenge. 

That's  why  Brother's  Commercial  Division  is  committed  to  providing 
superior  and  reliable  imaging  solutions  that  increase  productivity  while 
reducing  costs.  This  enables  businesses  like  yours  to  effectively  address 
critical  organizational  goals  and  challenges. 

But  it  is  our  product  reliability,  coupled  with  a  responsive  nationwide 
support  and  service  network,  that  has  companies  like  yours  putting  Brother 
at  the  top  of  their  requisition  lists. 

Brother's  Commercial  Division  welcomes  the  opportunity  to  put  our 
resources  to  work  for  you.  Contact  us  today  so  we  can  show  you  how  we 
can  positively  impact  your  bottom  line  while  enhancing  your  performance. 


Desktop  Laser  Solutions  Color  Laser  Solutions 
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Network  Printer  Solutions  Fax  Solutions 


©  2006  Brother  International  Corporation,  Bridgewater,  NJ  •  Brother  Industries  Ltd.,  Nagoya,  Japan 

For  more  information  visit  our  Web  site  at  www.brother.com 


POWERING 


Electricity-hungry  equipment  combined  with 
rising  energy  prices,  are  devouring  data  center 
budgets.  Here’s  what  you  can  do  to  get  costs 
under  control,  by  susannah  patton 
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Data  Centers 


A  TYPICAL  lO.OOO-SQUARE-FOOT  DATA  CENTER 

consumes  enough  juice  to  turn  on  more  than  8,000  60-watt  lightbulbs.  That 
amount  of  electricity  is  six  to  10  times  the  power  needed  to  operate  a  typical  office 
building  at  peak  demand,  according  to  scientists  at  Lawrence  Berkeley  National  Lab¬ 
oratory.  Given  that  most  data  centers  run  24/7,  the  companies  that  own  them  could 
end  up  paying  millions  of  dollars  this  year  just  to  keep  their  computers  turned  on. 


And  it’s  getting  more  expensive.  The  price  of  oil  ($60  a 
barrel  in  February)  may  fluctuate,  but  the  cost  of  energy  to 
run  the  data  center  probably  will  continue  to  increase, 
energy  experts  say.  This  is  because  global  demand  for 
energy  is  on  the  rise,  fueled  in  part  by:  the  proliferation  of 
more  powerful  computers.  According  to  Sun  Microsystems 
engineers,  a  rack  of  servers  installed  in  data  centers  just 
two  years  ago  might  have  consumed  2  kilowatts  and  emit¬ 
ted  40  watts  of  heat  per  square  foot.  Newer,  “high-density” 
racks,  which  cram  more  servers  into  the  same  amount  of 
space,  are  expected  to  consume  as  much  as  25  kilowatts 
and  give  off  as  much  as  500  watts  of  heat  per  square  foot  by 
the  end  of  the  decade.  The  dire  predictions  keep  coming. 
Most  recently,  a  Google  engineer  warned  in  a  research  paper 
that  if  the  performance  per  watt  of  today’s  computers 
doesn’t  improve,  the  electrical  costs  of  running  them  could 
ultimately  exceed  their  initial  price  tag. 

“As  the  demand  for  computing  grows,  the  cost  of  power 
is  a  larger  and  larger  concern,”  says  Dewitt  Latimer,  CTO  at 
University  of  Notre  Dame.  Latimer  is  grappling  with  find¬ 
ing  the  space  and  adequate  power  to  handle  a  growing 
demand  for  cheaper  and  ever-more  powerful  high-per¬ 
formance  computer  clusters  at  Notre  Dame.  The  problem 
comes  not  just  from  the  computers  themselves;  Latimer  is 


worried  that  the  air-conditioning  needed  to  keep  the 
machines  cool  will  also  eat  away  at  his  budget. 

Like  Latimer,  every  CIO  who  is  responsible  for  a  data 
center— even  those  who  outsource  data  center  management 
to  a  hosting  company— faces  this  conundrum:  how  to  keep 
up  with  ever-increasing  performance  requirements  while 
taming  runaway  power  consumption.  The  problem  is  most 
pressing  for  companies  on  either  coast  and  in  large  cities  in 
between,  where  space  is  at  a  premium  and  companies  com¬ 
pensate  by  putting  more  servers  into  their  existing  build¬ 
ings.  And  there  is  no  simple  solution.  Business  demand  for 
more  applications  results  in  companies  adding  more 
servers.  According  to  market  research  company  IDC  (a  sis¬ 
ter  company  to  CIO’s  publisher),  server  sales  are  growing  by 
10  percent  to  15  percent  annually. 

Nevertheless,  some  CIOs  with  huge  energy  bills  are 
developing  strategies  for  containing  power  costs  by  deploy¬ 
ing  more  energy-conscious  equipment 
and  by  using  servers  more  efficiently. 

“There’s  no  question  that  the  issue  of 
power  and  cooling  is  a  growing  concern,” 
says  John  Humphreys,  an  IDC  analyst. 

“The  assumptions  used  for  building  data 
centers  have  been  blown  away.” 


Reader  ROI 

::  Why  energy  consump¬ 
tion  has  become  a 
headache  for  CIOs 

::  Ideas  for  reducing  data 
center  electricity  use 
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THE  PROBLEM:  I.T.  HOGS  ENERGY 

IT’s  energy  woes  have  a  lot  to  do  with  market  factors  that  affect 
everyone  who  drives  a  car  or  turns  on  a  light  switch;  at  the  begin¬ 
ning  of  the  year,  the  price  of  a  barrel  of  oil  was  more  than  double 
what  it  was  three  years  earlier.  The  price  of  natural  gas,  which 
fuels  many  of  the  country’s  electric  power  plants,  has  also  shot  up. 
And  anyone  who  thinks  the  current  energy  crunch  is  going  away 
need  only  look  at  global  energy  markets. 

The  oil  shocks  in  the  1970s  and  ’80s  stemmed  from  large,  sud¬ 
den  cuts  in  supply.  This  time,  it’s  different.  While  it’s  true  that 
some  of  today’s  high  prices  stem  from  supply  shocks  tied  to  the  U.S. 
invasion  of  Iraq  and  hurricanes  on  the  Gulf  Coast,  the  world’s 
thirst  for  oil  over  the  past  25  years  has  grown  faster  than  the 
energy  industry  has  been  producing  it.  And  with  rapid  economic 
expansion  in  China  and  India,  those  countries  are  demanding 
more  and  more  energy,  putting  further  pressure  on  the  world’s 
energy  markets. 

Servers  in  corporate  data  centers  may  use  less  energy  than 
manufacturing  facilities  for  heavy  industries,  but  within  a  com¬ 
pany,  IT  is  an  energy  guzzler.  “We’re  pretty  hoggish  when  it  comes 
to  power  consumption  in  the  data  center,”  says  Neal  Tisdale,  VP  of 
software  development  at  NewEnergy  Associates,  a  wholly  owned 
subsidiary  of  Siemens.  NewEnergy’s  Atlanta  data  center  performs 
simulations  of  the  North  American  electric  grid  to  help  power 
companies  with  contingency  planning.  “We  turn  on  the  servers, 
and  we  just  leave  them  on.” 

The  exact  amount  of  electricity  used  by  data  centers  in  the 
United  States  is  hard  to  pin  down,  says  Jon  Koomey,  staff  scientist 
at  Lawrence  Berkeley  National  Laboratory.  Koomey  is  working 
with  experts  from  Sun  and  IDC  to  come  up  with  such  an  estimate. 
Nevertheless,  most  experts  agree  that  electricity  consumption  by 
data  centers  is  going  up.  According  to  Afcom,  an  association  for 


data  center  professionals,  data  center  power  requirements  are 
increasing  an  average  of  8  percent  per  year.  The  power  require¬ 
ments  of  the  top  10  percent  of  data  centers  are  growing  at  more  than 
20  percent  per  year. 

At  the  same  time,  business  demands  for  IT  are  increasing,  forc¬ 
ing  companies  to  expand  their  data  centers.  According  to  IDC,  at 
least  12  million  additional  square  feet  of  data  center  space  will  come 
online  by  2009.  By  comparison,  the  Mall  of  America  in  Minnesota, 
the  world’s  largest  shopping  mall,  covers  2.5  million  square  feet. 


More  Efficient  Computers 

JUST  AS  AUTOMAKERS  BUILT  SUVS  WHEN  OIL 
prices  were  low,  computer  manufacturers  answered  market 
demand  for  ever-faster  and  less  expensive  computers.  Energy 
usage  was  considered  less  important  than  performance. 

In  a  race  to  create  the  fastest  processors,  chip  makers  continu¬ 
ally  shrank  the  size  of  the  transistors  that  make  up  the  processors. 
The  faster  chips  consumed  more  electricity,  and  at  the  same  time 
allowed  manufacturers  to  produce  smaller  servers  that  companies 
stacked  in  racks  by  the  hundreds.  In  other  words,  companies  could 


The  Solar-Powered  Server  Farm  How  one  company  got  its  data  center  off  the  grid 


PHIL  NAIL  AND  HIS  WIFE, 

Sherry,  have  learned  that  green 
technology  and  data  centers 
can  go  together.  The  couple 
started  their  Web-hosting 
company,  Affordable  Internet 
Services  Online  (AISO),  nine 
years  ago  and  switched  to 
solar  power  in  2001.  The  com¬ 
pany,  located  in  Romoland, 
Calif.,  provides  Internet  service 
to  customers  that  include  a 
Laguna  Beach,  Calif.,  film  pro¬ 
duction  company  and  Veg- 
giedate.org,  a  dating  service 
for  vegetarians.  The  company 


data  center's  200  servers  are 
powered  by  120  photovoltaic 
panels  that  generate  electricity 
on  platforms  mounted  beside 
the  data  center. 

According  to  Nail,  the  pan¬ 
els  supply  power  to  run  the 
entire  data  center,  including 
the  offices  and  air  condition¬ 
ers.  In  case  of  a  power  failure, 
AISO  can  get  power  from  its 
emergency  generator  (which 
runs  on  natural  gas)  or,  as  a 
last  resort,  the  utility  grid.  The 
hosting  company  also  uses 
servers  with  energy-efficient 


Advance  Micro  Devices 
Opteron  processors  from  Open 
Source  Storage.  "We  built  our 
company  to  be  environmen¬ 
tally  friendly  because  we 
thought  it  was  the  right  thing  to 
do,”  says  Nail. 

Nail  acknowledges  that  a 
solar-powered  data  center  isn’t 
for  everyone  because  startup 
costs  can  be  expensive:  in 
2001,  it  cost  him  $100,000  to 
install  120  solar  panels  for  his 
2,000-square-foot  data  center. 
He  says  his  investment  has 
paid  off  in  low  energy  costs, 


and  his  eco-friendly  marketing 
message  has  helped  to  attract 
some  customers.  But  he 
acknowledges  that  the  cost  of 
switching  to  solar  power  would 
be  steep  for  a  large  data  center 
with  thousands  of  servers. 

Now  Nail  is  taking  green 
power  to  another  level.  Specifi¬ 
cally,  the  data  center’s  roof, 
where  he  intends  to  put  five 
inches  of  dirt  and  cover  it  with 
drought-tolerant  plants. 

“That’s  supposed  to  reduce  the 
amount  of  cooling  needed  by 
60  percent,”  he  says.  -S.P. 
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Data  Centers 


cram  more  computing  power  into  smaller  spaces. 

Now  that  CIOs  are  beginning  to  care  about  energy  costs,  hard¬ 
ware  makers  are  changing  course.  Silicon  Valley  equipment  mak¬ 
ers  are  now  racing  to  capture  the  market  for  energy-efficient 
machines.  Most  chip  makers  are  ramping  up  production  of  so- 
called  dual-core  processors,  which  are  faster  than  traditional  chips 
and  yet  use  less  energy.  Among  these  new  chips  is  Advanced 
Micro  Devices’  Opteron  processor,  which  runs  on  95  watts  of 
power  compared  with  150  watts  for  Intel’s  Xeon  chips.  In  March, 
Intel  unveiled  a  design  for  more  energy-efficient  chips.  Dubbed 
Woodcrest,  these  dual-core  chips,  which  Intel  says  will  be  available 
this  fall,  would  require  35  percent  less  power  while  offering  an 
80  percent  performance  improvement  over  previous  Intel  chips. 
And  last  November,  Sun  Microsystems  introduced  its  UltraSparc 
T1  chip,  known  as  Niagara,  which  uses  eight  processors  but 
requires  only  70  watts  to  operate.  Sun  also  markets  its  Galaxy 
line  of  servers  as  energy-saving  equipment. 

“The  manufacturers  are  getting  better  now,”  says  Paul  Froutan, 
VP  of  product  engineering  for  Rackspace,  which  manages  servers 
for  clients  in  its  five  data  centers.  With  more  than  18,000  servers 
to  watch  over,  Froutan  has  been  worrying  about  energy  costs  for 
years.  He’s  seen  the  company’s  power  consumption  more  than 

double  in  the  past  36  months, 
and  in  the  same  period  has 
seen  his  total  monthly 
energy  bill  rise  five  times  to 
nearly  $300,000. 

Latimer,  who  oversees 
Notre  Dame’s  Center  for 
Research  Computing,  first 
appreciated  the  power  con¬ 
sumption  problem  when  the 
university  decided  to  hire  a 
hosting  company  to  house  its 
high-performance  comput¬ 
ers  off  campus.  On-campus 
electrical  costs  associated 
with  data  centers  have  gen¬ 
erally  been  rolled  together 
with  other  facilities  costs, 
and  so  the  $3,000  monthly  utility  bill  from  the  hosting  company— 
for  running  a  512-node  cluster  of  Xenon  servers— came  as  a  shock. 

Notre  Dame’s  provost  recently  called  Latimer  and  other  leaders 
together  to  talk  about  how  to  handle  the  increasing  demands  that 
a  growing  research  program  was  beginning  to  place  on  the  cam¬ 
pus  utility  systems  and  infrastructure.  Faculty  members  are 
requiring  more  space,  greater  electrical  capacity  and  dedicated 
cooling  for  high-powered  computers  and 
other  equipment  such  as  MRI  machines. 

Latimer’s  recent  conversations  with 
Intel,  AMD,  Dell  and  Sun  about  his  plans 
to  buy  new  computer  clusters  “have  been 
very  focused  on  power  consumption,” 
he  adds. 
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The  Latest  in  Cooling 

IN  SEPTEMBER  2005,  OFFICIALS  AT  LAWRENCE 
Livermore  National  Laboratory  switched  on  one  of  the  world’s 
most  powerful  supercomputers.  The  system,  designed  to  simulate 
nuclear  reactions  and  dubbed  ASC  Purple,  drew  so  much  power 
(close  to  4.8  megawatts)  that  the  local  utility,  Pacific  Gas  &  Electric, 
called  to  see  what  was  going  on.  “They  asked  us  to  let  them  know 
when  we  turn  it  off,”  says  Mark  Seager,  assistant  deputy  head  for 
advanced  technology  at  Lawrence  Livermore. 

What’s  more,  ASC  Purple  generates  a  lot  of  heat.  And  so,  Sea¬ 
ger  and  his  colleagues  are  working  on  ways  to  cool  it  down  more 
efficiently  than  turning  up  the  air-conditioning.  The  lab  is  trying 
out  new  cooling  units  for  ASC  Purple  and  the  lab’s  second  super¬ 
computer,  BlueGene/L  (which  was  designed  with  lower-powered. 
IBM  chips,  but  is  nevertheless  hot).  Lawrence  Livermore  recently 
invested  in  a  spray  cooling  system,  an  experimental  method  in 
which  heat  emitted  by  the  computer  is  vaporized  and  then  con¬ 
densed  away  from  the  hardware.  Seager  says  this  new  method, 
which  holds  the  promise  of  eliminating  air-conditioning  units, 
would  allow  the  lab  to  save  up  to  70  percent  on  its  cooling  costs. 

It’s  not  only  supercomputers  that  create  supersized  cooling 
headaches.  Tisdale,  with  NewEnergy  Associates,  says  maintain¬ 
ing  adequate  and  efficient  cooling  is  one  of  the  hardest  problems 
to  solve  in  the  data  center.  That’s  because  as  servers  use  more 
power,  they  produce  more  heat,  forcing  data  center  managers  to  use 
more  power  to  cool  down  the  data  center.  “You  get  hit  with  a  dou¬ 
ble  whammy  on  the  cooling  front,”  says  Rackspace’s  Froutan. 

To  address  the  cooling  dilemmas  of  more  typical  data  centers, 
hardware  makers  such  as  Hewlett-Packard,  IBM,  Silicon  Graph¬ 
ics  and  Egenera  have  offered  or  are  coming  out  with  liquid  cool¬ 
ing  options.  Liquid  cooling,  which  involves  cooling  air  using  chilled 
water,  is  an  old  method  that  is  making  a  comeback  because  it’s  more 
efficient  than  air-conditioning.  HP’s  modular  cooling  system 
attaches  to  the  side  of  a  rack  of  HP  computers  and  “provides  a 
sealed  chamber  of  cooled  air”  separate  from  the  rest  of  the  data  cen¬ 
ter,  says  Paul  Perez,  vice  president  of  storage,  networking  and 
infrastructure  for  HP’s  Industry  Standard  Server  group. 

More  efficient  servers  help  too.  Last  spring,  Tisdale  discovered 

that  his  data  centers  had  reached  their 
air-conditioning  limit.  While  he  had 
always  imagined  that  a  lack  of  physical 
space  would  be  his  biggest  constraint,  he 
discovered  that  if  he  ever  lost  power,  his 
main  problem  would  be  keeping  the  air- 
conditioning  going.  Tisdale  had  replaced 
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all  22  of  his  company’s  Intel  servers  in  its  Houston  data  center  with 
two  dual-core  Sun  Fire  X4200  servers,  part  of  Sun’s  new  Galaxy 
line.  The  new  servers  are  more  energy-efficient,  according  to  Tisdale. 
And  so  when  he  proposed  installing  the  servers  in  Atlanta,  he  jus¬ 
tified  the  purchase  by  arguing  that  he  could  avoid  having  to  buy  a 
bigger  air  conditioner,  which  would  have  used  even  more  power.  Tis¬ 
dale  said  that  according  to  company  projections,  the  move  will  save 
electricity  and  reduce  heat  output  by  70  percent  to  84  percent. 

What’s  more,  there  are  better  ways  to  use  traditional  air-condi¬ 
tioning.  Neil  Rasmussen,  CTO  and  cofounder  of  American  Power 
Conversion  (APC),  a  vendor  of  cooling  and  power  management  sys¬ 
tems  for  data  centers,  says  CIOs  should  consider  redesigning  their 
air-conditioning  systems,  particularly  as  they  deploy  newer,  high- 
density  equipment.  “Instead  of  cooling  100  square  feet,  it  makes 
sense  to  look  for  the  hot  spots,”  concurs  Vernon  Turner,  group  vice 
president  and  general  manager  of  enterprise  computing  at  IDC. 

Traditional  cooling  units  “sit  off  in  the  corner  and  try  to  blow  air 
in  the  direction  of  the  servers,”  Rasmussen  says.  “That’s  vastly  inef¬ 
ficient  and  a  huge  waste  of  power.”  Rasmussen  argues  that  the 
most  efficient  way  to  cool  servers  is  with  a  modular  approach  that 
brings  cooling  units  closer  to  each  heat  source.  Meanwhile,  he 
adds,  CIOs  who  manage  data  centers  in  colder  climates  should 
use  air  conditioners  that  have  “economizer”  modes,  which  can 
reduce  the  power  consumption  in  the  dead  of  winter.  Newer  air 
conditioners  have  compressors,  fans  and  pumps  that  can  slow 
down  or  speed  up  depending  on  the  outside  temperature. 


A  More  Efficient  Data  Center 

JUST  AS  AGING  CARS  ARE  NOT  AS  FUEL-EFFICIENT 
as  newer  models,  the  majority  of  the  country’s  data  centers  are 
using  a  lot  more  energy  than  they  should.  A  survey  of  19  data  cen¬ 
ters  by  the  consultancy  Uptime  Institute  found  that  1.4  kilowatts  of 
power  are  wasted  for  every  kilowatt  of  power  consumed  in  com¬ 
puting  activities,  more  than  double  the  expected  energy  loss. 

However,  like  many  people  who  aren’t  going  to  junk  their  older 
cars  right  away,  many  companies  aren’t  ready  to  tear  out  their  data 
centers  to  build  new  ones  with  a  more  efficient  layout.  “We  haven’t 
reached  the  point  yet  where  it  makes  financial  sense  to  rebuild 
most  data  centers  from  scratch,”  says  Rackspace’s  Froutan.  And  so 
for  most  companies,  the  journey  toward  an  energy-efficient  data  cen¬ 
ter  will  be  a  gradual  one. 

For  NewEnergy  Associate’s  Tisdale,  that  means  retiring  aging 
servers  in  one  data  center  seven  at  a  time  and  replacing  them  with 
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more  energy-efficient  equipment.  But  redesigning  your  data  center 
also  means  making  the  most  of  what  you  have  through  server  con¬ 
solidation  and,  more  specifically,  the  use  of  virtualization  software. 

Virtualization  is  a  technology  that  allows  several  operating  sys¬ 
tems  to  reside  on  the  same  server.  Froutan  says  that  virtualization 
will  help  his  data  centers  make  do  with  fewer  servers  by  allowing 
them  to  perform  more  tasks  on  one  machine.  In  addition,  he  says, 
energy  can  be  saved  by  deferring  lower-priority  tasks  and  per¬ 
forming  them  at  night,  when  the  cost  of  power  can  be  three  times 
less  expensive.  IDC’s  Turner  agrees  that  CIOs  need  to  improve 
server  utilization  in  order  to  cut  both  power  and  cooling  costs. 
Instead  of  building  one  server  farm  for  Web  hosting  and  another 
for  application  development,  for  example,  they  should  use  virtu¬ 
alization  to  share  servers  for  different  types  of  workloads. 

Finally,  advises  APC’s  Rasmussen,  if  you  are  building  a  new 
data  center,  it’s  better  to  design  it  to  accommodate  the  equipment 
that  you  need  right  now,  rather  than  building  facilities  designed  for 
what  you  might  eventually  need  as  you  grow,  as  many  companies 
have  done.  By  using  a  more  modular  architecture  for  servers  and 
storage— so  capacity  can  be  added  when  needed—  a  company  can 
avoid  such  waste  and  still  be  prepared  for  growth. 

HOW  TO  START  SAVING 

As  CIOs  search  for  more  energy-efficient  data  center  equipment 
and  design,  they  need  to  educate  themselves  about  which  solutions 
will  work  best  for  them.  As  part  of  the  information-gathering  process, 
CIOs  should  establish  metrics  for  power  consumption  in  their  data 
centers  and  measure  how  much  electricity  they  consume. 

There  aren’t  many  generally  accepted  metrics  for  keeping  tabs 
on  power  consumption.  But  according  to  Turner,  such  metrics 
could  include  wattage  used  per  square  foot,  calculated  by  multi¬ 
plying  the  number  of  servers  by  the  wattage  each  uses  and  divid¬ 
ing  by  the  data  center’s  total  square  footage.  Sun  has  come  up  with 
a  method  called  SWaP,  which  stands  for  Space,  Wattage  and  Per¬ 
formance.  The  company  says  this  method,  which  lets  users  cal¬ 
culate  the  energy  consumption  and  performance  of  their  servers, 
can  be  used  to  measure  data  center  efficiency.  John  Fowler,  exec¬ 
utive  VP  of  the  network  systems  group  at  Sun,  says  sophisticated 
customers  are  installing  power  meters  at  their  data  centers  to  get 
more  precise  measurements. 

It  also  pays  to  be  an  energy- aware  buyer.  When  looking  at  how 
much  energy  a  new  server  might  use,  “Don’t  just  take  the  ven¬ 
dor’s  word  for  it,”  Fowler  says.  He  suggests  having  a  method  for 
testing  the  server  and  its  energy  use  before  buying.  However,  the 
industry  is  still  working  on  methods  for  comparing  servers  from 
different  vendors  in  a  live  environment. 

Ultimately,  vendors’  “eco-friendly”  messages  may  resonate  only 
slightly.  NewEnergy’s  Tisdale,  for  example,  still  cares  most  about 
maintaining  server  performance.  But  he  is  impressed  that  new 
equipment  will  help  him  add  more  computing  capability  while 
maintaining  current  power  usage  levels.  “Like  a  lot  of  people,”  he 
says,  “I’m  not  interested  in  turning  off  the  servers.”  HH 
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YOUR  JOB  IS  TO  KEEP  SYSTEMS  AND  APPLICATIONS  RUNNING. 
OUR  MISSION  IS  TO  KEEP  PEOPLE  AND  INFORMATION  CONNECTED. 

LET’S  WORK  TOGETHER. 


Continuous  access  to  information  no  matter  what.  That’s 
Information  Availability.  It’s  what  your  employees,  suppliers 
and  customers  demand  every  minute  of  every  day.  But  to 
deliver  it  flawlessly,  you  need  a  massive  global  infrastructure, 
redundant  systems  and  diverse  networks  being  monitored  and 
supported  by  skilled  technical  experts  at  secure  facilities. 
That’s  exactly  what  SunGard  provides. 

As  a  result,  we  can  offer  you  a  higher  level  of  availability  and 
save  your  company,  on  average,  25%*  versus  building  the 
infrastructure  yourself.  Plus,  it’s  a  vendor  neutral  solution  that 
lets  you  control  your  data,  applications  and  network  while 
giving  you  the  flexibility  to  adjust  to  the  changing  needs  of  your 
business.  But  best  of  all,  it  lets  you  spend  more  time  solving 
business  problems  and  less  time  solving  technical  problems. 


For  years,  companies  around  the  world  have  turned  to  SunGard 
to  restore  their  systems  when  something  went  wrong.  So,  it’s  not 
surprising  that  they’re  now  turning  to  us  to  mitigate  risk  and 
make  sure  they  never  go  down  in  the  first  place. 

You  want  your  network  and  systems  to  always  be  up  and  running.  We 
want  the  same  thing.  Let’s  get  together.  To  learn  more,  contact  us  at 
1-800468-7483  or  go  to  www.availability.sungard.com/masteria  and 
get  your  free  copy  of  the  book  “Mastering  Information  Availability.” 

SUNGARD* 

Availability  Services  Connected ,™ 

‘Potential  savings  based  on  IDC  White  Paper,  Ensuring  Information  Availability:  Aligning  Customer 
Needs  with  an  Optimal  Investment  Strategy. 
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How  do  you  Maximize  the  Value 

of  IT  to  the  Business? 


IT  is  still  one  of  the  most  misunderstood  functions  in  business.  The  CIO  Executive  Council,  a  profes¬ 
sional  community  developed  by  CIOs,  has  focused  its  members'  collective  effort  on  this  challenge. 
Their  initiative  has  resulted  in  groundbreaking  tools-the  IT  Value  Matrix  and  Knowledge  Center™-to 
help  leverage  the  value  of  IT  throughout  the  organization. 

The  IT  Value  Matrix  illustrates  the  principles  and  practices  essential  to  creating,  identifying  and 
communicating  IT's  value  to  the  enterprise.  Its  online  Knowledge  Center  provides  best  practices 
contributed  by  Council  members,  supplemented  by  case  studies  and  how-to  articles  from 
CIO  magazine  that  are  grouped  in  categories  that  correspond  to  all  the  components  of  the  Matrix. 


Visit  www.cioexecutivecouncil.com/it_value  to  get  your  own  copy  of  the  Matrix  and  to  watch 
the  IT  Value  webcast,  presented  by  Agriliance  CIO  and  Council  member  Steven  John. 


CIO  Executive  Council 

The  Professional  Organization  for  CIOs 


The  CIO  Executive  Council  was  created  by  readers  of  CIO  magazine  and  leaders  within 
the  community  of  CIOs  to  leverage  the  individual  and  collective  strengths  of  its  members 
both  to  serve  as  unbiased  and  trusted  advisors  to  each  other,  and  to  advance  the 
CIO  role  and  profession.  In  just  two  years,  more  than  300  CIOs  worldwide  from  various 
sectors  and  industries  have  identified  with  the  Council's  vision  and  committed  to  assist 
each  other,  cultivate  their  own  careers  and  those  of  their  team,  and  advance  the  role  of  the 
CIO.  To  inquire  about  membership,  visit  www.cioexecutivecouncil.com. 
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Offers 
You  Can’t 
Refuse 

Marketing  come-ons 
that  could  end  up  in 
your  inbox  thanks  to 
data  mining 

Dear  Friend, 

The  road  of  life  takes  some 
unexpected  turns.  Who  would 
have  thought  that  the  soul 
mate  you  married  16  years  ago 
would  be  taking  you  to  the 
cleaners  today?  At  this  diffi¬ 
cult  juncture,  you’ll  need  the 
comfort  of  friends,  a  good 
attorney  and...a  tent!  After  all, 
you’ll  need  a  place  to  stay  if 
your  other  half  wins  custody 
of  the  house.  Lucky  for  you, 
we  at  Outdoor  Outfitters  offer 
a  range  of  tents  to  keep  you 
dry  and  cozy.  Bring  this  letter 
to  a  store  near  you,  and  we’ll 
give  you  10  percent  off  your 
purchase.  We  know  you  need 
the  extra  money  for  alimony. 

-Your pals  at  Outdoor  Outfitters 

Dear  Neat  Freak, 

Everyone  should  take  pride  in 
his  home  and  spend  a  few 
hours  each  week  cleaning  it. 
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little  one  finally  arrives  and 
you  spend  the  next  year  sub¬ 
sisting  on  two  hours  of  sleep 
a  night.  Fortunately,  Holistic 
Beauty  offers  a  range  of  prod¬ 
ucts  to  help  you  through  this 
transition: 

■  My  Yogalates  Video  com¬ 
bines  the  meditative  qualities 
of  yoga  with  the  rigor  of  Pilates 
to  tone  flaccid  muscle  and  get 
you  in  shape  for  baby  #2! 

■  My  Macrobiotic  Cookbook 
contains  120  mouth-watering 
recipes  guaranteed  to  help 
you  lose  the  baby  weight. 
You’ll  never  know  how  many 
delicious  dishes  you  can  pre¬ 
pare  with  cabbage  until  you 
buy  this  book. 

And  when  the  stress  of 
being  a  new  parent  is  just  too 
much  to  bear,  light  My  Tran¬ 
quility  Candle.  Its  melange  of 
warm  Madagascar  vanilla  and 
calming  chamomile  is  guaran- 


But  no  one  should  spend  his 
entire  Social  Security  check  on 
Clorox  cleaning  wipes,  as  our 
information  systems  indicate 
you  do  each  month.  It’s  nei¬ 
ther  financially  sound  nor 
psychologically  healthy.  In 
fact,  your  penchant  for  clean¬ 
ing  may  indicate  obsessive- 
compulsive  behavior.  If  you’d 
like  to  learn  how  to  control 
this  disorder,  please  call  my 
secretary  at  1-800-URCRAZY 
to  make  an  appointment. 
-Seymour  (Sy)  Kosis,  MD 


Dear  Mom-to-Be, 

You’re  glowing  with  expecta¬ 
tion  over  the  bundle  of  joy 
about  to  enter  your  life.  Your 
skin  has  never  looked  more 
dewy.  Even  college  boys  are 
giving  you  a  second  look.  But 
that  radiance  will  wear  off 
faster  than  Tammy  Faye 
Baker’s  mascara  when  your 


teed  to  melt  away  tension.  It 
works  for  colicky  babies  too! 

To  take  advantage  of  this 
onetime  offer,  call  1-800- 
4SUCKRS. 

-Belle  Jolie,  CEO  of  Holistic 
Beauty  Inc. 


Dear  Valued  Customer, 

We  hope  you  are  happy  with 
your  recent  purchase  of  a 
Hummer,  designed  to  make 
every  man  feel  like  Arnold 
Schwarzenegger.  We  share 
our  customer  lists  with  select 
business  partners  whose 
products  share  synergies  with 
our  own.  Our  preferred  pro¬ 
vider  of  brand-name  pharma¬ 
ceuticals  would  like  to  offer 
new  Hummer  owners  like 
yourself  a  free  trial  of  Viagra. 
It’ll  keep  your  engine  hum¬ 
ming.  To  activate  your  free 
trial,  call  1-800-MECHUMP. 
-The  Hummer  Marketing  Team 


Imagine  a  global 
communications 
company  where 
capability  and 
accountability 
work  hand  in  har 


works  ■ 


Now  there’s  a  communications  team  with  the  resources  to  deliver  a 
far-reaching  global  IP  network,  the  expertise  to  create  solutions  that  work 
for  your  business,  and  the  dedication  to  be  there  when  you  need  them. 


VerMOribusiness 

We  never  stop  working  for  you. 


Meet  your  new  communications  partners  at  verizonbusiness.com 


CHANGE 
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STABILITY 


If  there's  one  constant  in  business  today,  it's  change. 
But  large  or  small,  internal  or  external,  change 
doesn't  have  to  impede  IT  service  delivery.  Think  of 
change  as  an  opportunity  for  IT  to  satisfy  fluctuating 
demand  while  maintaining  a  stable,  productive  work 
environment.  With  integrated  CA  software  solutions 
for  service  management  and  service  availability,  you 
can  unify  and  simplify  the  way  you  manage  complex 
IT  services  across  the  enterprise.  Anticipate  and 
prioritize  shifting  demand.  Automate  processes  to 
ensure  timely  delivery  and  reliability  of  service.  And 
leverage  industry  best  practices  such  as  ITIL.  It's  all 
possible  with  our  unique  approach  to  managing 
technology  called  Enterprise  IT  Management  (EITM). 
To  learn  more  about  how  CA  solutions  can  stabilize 
change  to  create  a  true  service-driven  IT 
environment,  visit  ca.com/deliver. 


